Audit:[timestamp=06-14-2022 22:16:27.878, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655244960_78327', total_run_time=220614.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655244970, api_et=1655240760.000000000, api_lt=1655244360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655241360.000000000, search_lt=1655244971.847974000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3165", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_118a3b4c0d529dcb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=978, eliminated_buckets=287, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=668, invocations.command.search.index.bucketcache.hit=978, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 22:14:27.755, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655244840_78287', total_run_time=4.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655244863, api_et=1655241240.000000000, api_lt=1655244840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655241240.000000000, search_lt=1655244865.136898000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=372, eliminated_buckets=249, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=73, invocations.command.search.index.bucketcache.hit=367, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 22:11:27.739, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655244660_78220', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655244664, api_et=1655241060.000000000, api_lt=1655244660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655241060.000000000, search_lt=1655244666.735852000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3103", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_de0ee456c4d13276", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 22:09:47.400, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655244420_78172', total_run_time=4.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655244484, api_et=1655240820.000000000, api_lt=1655244420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655240820.000000000, search_lt=1655244486.803730000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2968", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=377, eliminated_buckets=179, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=95, invocations.command.search.index.bucketcache.hit=374, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 22:09:46.757, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655244420_78161', total_run_time=4.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655244446, api_et=1655240820.000000000, api_lt=1655244420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655240820.000000000, search_lt=1655244448.123091000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2963", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c97e4c56d3e6bee7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=377, eliminated_buckets=179, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=98, invocations.command.search.index.bucketcache.hit=374, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 22:09:46.583, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655244540_78189', total_run_time=19.05, event_count=0, result_count=0, available_count=0, scan_count=4418254, drop_count=0, exec_time=1655244545, api_et=1655240340.000000000, api_lt=1655243940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655240340.000000000, search_lt=1655243940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3151", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b9da0af5c2ecf2fb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=387, considered_events=4418254, total_slices=1145408, decompressed_slices=217646, duration.command.search.index=1853, invocations.command.search.index.bucketcache.hit=796, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34489, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:44:26.694, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655242980_77694', total_run_time=22.20, event_count=0, result_count=0, available_count=0, scan_count=3608, drop_count=0, exec_time=1655243018, api_et=1655239380.000000000, api_lt=1655242980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655239380.000000000, search_lt=1655243020.385700000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3028", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8a8dd5064d3d8fb7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=3608, total_slices=1084717, decompressed_slices=1518, duration.command.search.index=1154, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5049, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:38:56.365, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655242380_77488', total_run_time=306.02, event_count=0, result_count=0, available_count=0, scan_count=42032749, drop_count=0, exec_time=1655242405, api_et=1655238780.000000000, api_lt=1655242380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655238780.000000000, search_lt=1655242407.828651000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4159", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_05ec47551aab6d91", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1832, eliminated_buckets=116, considered_events=42032749, total_slices=14445632, decompressed_slices=4602656, duration.command.search.index=16547, invocations.command.search.index.bucketcache.hit=1832, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=253428, invocations.command.search.rawdata.bucketcache.hit=322, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:16:26.757, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655241360_77146', total_run_time=7.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655241371, api_et=1655237160.000000000, api_lt=1655240760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655237760.000000000, search_lt=1655241372.963232000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3409", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_17798c9574dcd513", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=979, eliminated_buckets=287, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=692, invocations.command.search.index.bucketcache.hit=979, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:14:56.498, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655241240_77106', total_run_time=4.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655241263, api_et=1655237640.000000000, api_lt=1655241240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655237640.000000000, search_lt=1655241265.289727000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=397, eliminated_buckets=272, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=46, invocations.command.search.index.bucketcache.hit=394, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 21:11:10.096, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655241060_77040', total_run_time=4.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655241064, api_et=1655237460.000000000, api_lt=1655241060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655237460.000000000, search_lt=1655241066.458855000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_60aa6841ca22ead3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=37, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:10:42.743, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655240820_76987', total_run_time=4.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655240880, api_et=1655237220.000000000, api_lt=1655240820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655237220.000000000, search_lt=1655240882.590096000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3063", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=398, eliminated_buckets=188, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=100, invocations.command.search.index.bucketcache.hit=395, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 21:10:42.152, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655240940_77006', total_run_time=18.35, event_count=0, result_count=0, available_count=0, scan_count=4321228, drop_count=0, exec_time=1655240946, api_et=1655236740.000000000, api_lt=1655240340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655236740.000000000, search_lt=1655240340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3202", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_abac810524878518", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=385, considered_events=4321228, total_slices=1099002, decompressed_slices=212196, duration.command.search.index=3739, invocations.command.search.index.bucketcache.hit=797, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35047, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=89, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:10:41.273, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655240820_76982', total_run_time=6.37, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655240846, api_et=1655237220.000000000, api_lt=1655240820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655237220.000000000, search_lt=1655240848.508188000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_87bdf422fde380d5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=396, eliminated_buckets=188, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=108, invocations.command.search.index.bucketcache.hit=393, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 21:00:26.173, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240340_76791', total_run_time=220614.91, event_count=0, result_count=0, available_count=0, scan_count=30589400, drop_count=0, exec_time=1655240390, api_et=1655225940.000000000, api_lt=1655240340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225940.000000000, search_lt=1655240340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30589400, total_slices=1541171, decompressed_slices=515955, duration.command.search.index=11277, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104922, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14208333, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:59:10.211, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240280_76778', total_run_time=15.47, event_count=0, result_count=0, available_count=0, scan_count=30582125, drop_count=0, exec_time=1655240329, api_et=1655225880.000000000, api_lt=1655240280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225880.000000000, search_lt=1655240280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30582125, total_slices=1538828, decompressed_slices=515897, duration.command.search.index=10924, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75240, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14204911, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:59:09.458, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240220_76763', total_run_time=16.64, event_count=0, result_count=0, available_count=0, scan_count=30580693, drop_count=0, exec_time=1655240269, api_et=1655225820.000000000, api_lt=1655240220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225820.000000000, search_lt=1655240220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30580693, total_slices=1536437, decompressed_slices=515785, duration.command.search.index=11411, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76138, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14203148, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:59:07.074, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240160_76746', total_run_time=15.68, event_count=0, result_count=0, available_count=0, scan_count=30580547, drop_count=0, exec_time=1655240209, api_et=1655225760.000000000, api_lt=1655240160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225760.000000000, search_lt=1655240160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30580547, total_slices=1534298, decompressed_slices=515742, duration.command.search.index=10925, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80635, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14200169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:56:17.917, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240100_76735', total_run_time=19.48, event_count=0, result_count=0, available_count=0, scan_count=30577960, drop_count=0, exec_time=1655240149, api_et=1655225700.000000000, api_lt=1655240100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225700.000000000, search_lt=1655240100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30577960, total_slices=1532034, decompressed_slices=515502, duration.command.search.index=11410, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80566, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14197280, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:55:18.105, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655240040_76720', total_run_time=17.67, event_count=0, result_count=0, available_count=0, scan_count=30570767, drop_count=0, exec_time=1655240090, api_et=1655225640.000000000, api_lt=1655240040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225640.000000000, search_lt=1655240040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3201", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30570767, total_slices=1529650, decompressed_slices=515235, duration.command.search.index=11824, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75698, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14192576, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:54:17.839, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239980_76703', total_run_time=17.73, event_count=0, result_count=0, available_count=0, scan_count=30565633, drop_count=0, exec_time=1655240030, api_et=1655225580.000000000, api_lt=1655239980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225580.000000000, search_lt=1655239980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30565633, total_slices=1527396, decompressed_slices=515184, duration.command.search.index=12275, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81425, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14188873, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:53:19.236, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239920_76680', total_run_time=17.21, event_count=0, result_count=0, available_count=0, scan_count=30564408, drop_count=0, exec_time=1655239969, api_et=1655225520.000000000, api_lt=1655239920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225520.000000000, search_lt=1655239920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2363", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30564408, total_slices=1524993, decompressed_slices=515235, duration.command.search.index=11338, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82124, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14187093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:52:17.836, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239860_76663', total_run_time=24.64, event_count=0, result_count=0, available_count=0, scan_count=30559305, drop_count=0, exec_time=1655239910, api_et=1655225460.000000000, api_lt=1655239860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225460.000000000, search_lt=1655239860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30559305, total_slices=1522919, decompressed_slices=515185, duration.command.search.index=13679, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90373, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14183770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:51:18.398, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239800_76639', total_run_time=21.82, event_count=0, result_count=0, available_count=0, scan_count=30556881, drop_count=0, exec_time=1655239849, api_et=1655225400.000000000, api_lt=1655239800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225400.000000000, search_lt=1655239800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30556881, total_slices=1520464, decompressed_slices=515096, duration.command.search.index=11949, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87116, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14182364, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:50:48.260, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239740_76616', total_run_time=29.77, event_count=0, result_count=0, available_count=0, scan_count=30546625, drop_count=0, exec_time=1655239789, api_et=1655225340.000000000, api_lt=1655239740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225340.000000000, search_lt=1655239740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30546625, total_slices=1516923, decompressed_slices=514969, duration.command.search.index=12319, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103764, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14176197, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:49:17.816, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239680_76595', total_run_time=19.27, event_count=0, result_count=0, available_count=0, scan_count=30551250, drop_count=0, exec_time=1655239729, api_et=1655225280.000000000, api_lt=1655239680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225280.000000000, search_lt=1655239680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30551250, total_slices=1515920, decompressed_slices=515052, duration.command.search.index=12576, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86694, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14176431, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:48:18.041, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239620_76579', total_run_time=18.17, event_count=0, result_count=0, available_count=0, scan_count=30545500, drop_count=0, exec_time=1655239669, api_et=1655225220.000000000, api_lt=1655239620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225220.000000000, search_lt=1655239620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30545500, total_slices=1513779, decompressed_slices=514971, duration.command.search.index=11987, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79820, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14171196, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:47:28.087, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239560_76558', total_run_time=15.93, event_count=0, result_count=0, available_count=0, scan_count=30547101, drop_count=0, exec_time=1655239609, api_et=1655225160.000000000, api_lt=1655239560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225160.000000000, search_lt=1655239560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30547101, total_slices=1511349, decompressed_slices=515006, duration.command.search.index=11021, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76552, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14167784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:46:18.093, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239500_76540', total_run_time=22.21, event_count=0, result_count=0, available_count=0, scan_count=30546049, drop_count=0, exec_time=1655239549, api_et=1655225100.000000000, api_lt=1655239500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225100.000000000, search_lt=1655239500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30546049, total_slices=1509131, decompressed_slices=514945, duration.command.search.index=10741, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83433, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14164090, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:45:18.322, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239440_76518', total_run_time=20.38, event_count=0, result_count=0, available_count=0, scan_count=30544223, drop_count=0, exec_time=1655239489, api_et=1655225040.000000000, api_lt=1655239440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225040.000000000, search_lt=1655239440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=30544223, total_slices=1506925, decompressed_slices=514851, duration.command.search.index=11320, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82599, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14158559, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:44:17.926, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655239380_76494', total_run_time=34.37, event_count=0, result_count=0, available_count=0, scan_count=2801, drop_count=0, exec_time=1655239418, api_et=1655235780.000000000, api_lt=1655239380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655235780.000000000, search_lt=1655239420.145709000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2961", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e7b1448208b96df1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=2801, total_slices=978987, decompressed_slices=1017, duration.command.search.index=1806, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6264, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:44:17.909, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239380_76497', total_run_time=24.33, event_count=0, result_count=0, available_count=0, scan_count=30543231, drop_count=0, exec_time=1655239429, api_et=1655224980.000000000, api_lt=1655239380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224980.000000000, search_lt=1655239380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=30543231, total_slices=1504739, decompressed_slices=514864, duration.command.search.index=12180, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95361, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14154214, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:43:44.047, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239260_76446', total_run_time=24.21, event_count=0, result_count=0, available_count=0, scan_count=30537787, drop_count=0, exec_time=1655239309, api_et=1655224860.000000000, api_lt=1655239260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224860.000000000, search_lt=1655239260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=30537787, total_slices=1500143, decompressed_slices=514728, duration.command.search.index=13552, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109463, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14145167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:43:43.240, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239320_76469', total_run_time=27.86, event_count=0, result_count=0, available_count=0, scan_count=30538745, drop_count=0, exec_time=1655239369, api_et=1655224920.000000000, api_lt=1655239320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224920.000000000, search_lt=1655239320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=30538745, total_slices=1502328, decompressed_slices=514767, duration.command.search.index=14984, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=118873, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14147978, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:41:37.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239200_76421', total_run_time=29.43, event_count=0, result_count=0, available_count=0, scan_count=30527449, drop_count=0, exec_time=1655239250, api_et=1655224800.000000000, api_lt=1655239200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224800.000000000, search_lt=1655239200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2979", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=30527449, total_slices=1497544, decompressed_slices=514548, duration.command.search.index=17412, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=134725, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14140188, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:40:37.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239140_76399', total_run_time=32.34, event_count=0, result_count=0, available_count=0, scan_count=30520196, drop_count=0, exec_time=1655239189, api_et=1655224740.000000000, api_lt=1655239140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224740.000000000, search_lt=1655239140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=2, considered_events=30520196, total_slices=1495501, decompressed_slices=514385, duration.command.search.index=14614, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=144310, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14135180, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:39:23.776, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239080_76383', total_run_time=20.30, event_count=0, result_count=0, available_count=0, scan_count=30510885, drop_count=0, exec_time=1655239130, api_et=1655224680.000000000, api_lt=1655239080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224680.000000000, search_lt=1655239080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=2, considered_events=30510885, total_slices=1493347, decompressed_slices=514239, duration.command.search.index=12780, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94065, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14131826, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:39:23.674, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655238780_76273', total_run_time=349.90, event_count=0, result_count=0, available_count=0, scan_count=41941336, drop_count=0, exec_time=1655238805, api_et=1655235180.000000000, api_lt=1655238780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655235180.000000000, search_lt=1655238807.216404000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3967", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8f22441767314a66", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1844, eliminated_buckets=116, considered_events=41941336, total_slices=14608111, decompressed_slices=4545008, duration.command.search.index=14916, invocations.command.search.index.bucketcache.hit=1847, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238828, invocations.command.search.rawdata.bucketcache.hit=336, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:38:56.882, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238960_76353', total_run_time=23.44, event_count=0, result_count=0, available_count=0, scan_count=30492513, drop_count=0, exec_time=1655239010, api_et=1655224560.000000000, api_lt=1655238960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224560.000000000, search_lt=1655238960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2904", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=2, considered_events=30492513, total_slices=1488581, decompressed_slices=513921, duration.command.search.index=13948, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103371, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14124819, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:38:56.875, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655239020_76368', total_run_time=26.48, event_count=0, result_count=0, available_count=0, scan_count=30504796, drop_count=0, exec_time=1655239070, api_et=1655224620.000000000, api_lt=1655239020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224620.000000000, search_lt=1655239020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2917", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=2, considered_events=30504796, total_slices=1490924, decompressed_slices=514134, duration.command.search.index=13770, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100653, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14128803, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:36:21.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238900_76343', total_run_time=31.18, event_count=0, result_count=0, available_count=0, scan_count=30490180, drop_count=0, exec_time=1655238949, api_et=1655224500.000000000, api_lt=1655238900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224500.000000000, search_lt=1655238900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2934", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=30490180, total_slices=1486034, decompressed_slices=513818, duration.command.search.index=17060, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=143172, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14120996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:35:52.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238840_76322', total_run_time=37.48, event_count=0, result_count=0, available_count=0, scan_count=30485029, drop_count=0, exec_time=1655238890, api_et=1655224440.000000000, api_lt=1655238840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224440.000000000, search_lt=1655238840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=30485029, total_slices=1484179, decompressed_slices=513742, duration.command.search.index=15229, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=145424, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14117194, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:34:50.587, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238780_76287', total_run_time=39.20, event_count=0, result_count=0, available_count=0, scan_count=30476057, drop_count=0, exec_time=1655238829, api_et=1655224380.000000000, api_lt=1655238780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224380.000000000, search_lt=1655238780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=30476057, total_slices=1481558, decompressed_slices=513617, duration.command.search.index=14187, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104137, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14114276, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:33:50.405, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238720_76249', total_run_time=45.56, event_count=0, result_count=0, available_count=0, scan_count=30469717, drop_count=0, exec_time=1655238769, api_et=1655224320.000000000, api_lt=1655238720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224320.000000000, search_lt=1655238720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=30469717, total_slices=1479277, decompressed_slices=513515, duration.command.search.index=14709, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113480, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14110675, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:32:50.379, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238660_76220', total_run_time=40.14, event_count=0, result_count=0, available_count=0, scan_count=30464075, drop_count=0, exec_time=1655238709, api_et=1655224260.000000000, api_lt=1655238660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224260.000000000, search_lt=1655238660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=30464075, total_slices=1476950, decompressed_slices=513440, duration.command.search.index=14703, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116629, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14110199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:31:50.607, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238600_76192', total_run_time=43.45, event_count=0, result_count=0, available_count=0, scan_count=30465393, drop_count=0, exec_time=1655238649, api_et=1655224200.000000000, api_lt=1655238600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224200.000000000, search_lt=1655238600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=30465393, total_slices=1474157, decompressed_slices=513423, duration.command.search.index=16798, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=155999, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14110563, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:30:21.960, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238540_76159', total_run_time=19.69, event_count=0, result_count=0, available_count=0, scan_count=30464710, drop_count=0, exec_time=1655238590, api_et=1655224140.000000000, api_lt=1655238540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224140.000000000, search_lt=1655238540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30464710, total_slices=1499276, decompressed_slices=513314, duration.command.search.index=11372, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103200, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14110452, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:29:09.316, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238480_76136', total_run_time=16.42, event_count=0, result_count=0, available_count=0, scan_count=30462868, drop_count=0, exec_time=1655238529, api_et=1655224080.000000000, api_lt=1655238480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224080.000000000, search_lt=1655238480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2948", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30462868, total_slices=1497183, decompressed_slices=513247, duration.command.search.index=11556, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78379, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14107960, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:28:46.752, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238360_76103', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=30458572, drop_count=0, exec_time=1655238409, api_et=1655223960.000000000, api_lt=1655238360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223960.000000000, search_lt=1655238360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3016", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30458572, total_slices=1492504, decompressed_slices=513234, duration.command.search.index=11574, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79939, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14103765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:28:46.400, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238420_76121', total_run_time=16.03, event_count=0, result_count=0, available_count=0, scan_count=30461458, drop_count=0, exec_time=1655238469, api_et=1655224020.000000000, api_lt=1655238420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224020.000000000, search_lt=1655238420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30461458, total_slices=1494743, decompressed_slices=513251, duration.command.search.index=11568, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77390, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14106271, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:26:26.537, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238300_76086', total_run_time=23.03, event_count=0, result_count=0, available_count=0, scan_count=30457752, drop_count=0, exec_time=1655238349, api_et=1655223900.000000000, api_lt=1655238300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223900.000000000, search_lt=1655238300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3345", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30457752, total_slices=1490352, decompressed_slices=513185, duration.command.search.index=11612, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81233, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14103774, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:25:27.421, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238240_76074', total_run_time=21.99, event_count=0, result_count=0, available_count=0, scan_count=30457214, drop_count=0, exec_time=1655238290, api_et=1655223840.000000000, api_lt=1655238240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223840.000000000, search_lt=1655238240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30457214, total_slices=1488161, decompressed_slices=513047, duration.command.search.index=12534, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94166, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14101549, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:24:26.544, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238180_76055', total_run_time=35.18, event_count=0, result_count=0, available_count=0, scan_count=30454939, drop_count=0, exec_time=1655238230, api_et=1655223780.000000000, api_lt=1655238180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223780.000000000, search_lt=1655238180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30454939, total_slices=1485910, decompressed_slices=512958, duration.command.search.index=13848, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99676, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14100186, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:23:44.744, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238120_76022', total_run_time=34.16, event_count=0, result_count=0, available_count=0, scan_count=30457740, drop_count=0, exec_time=1655238169, api_et=1655223720.000000000, api_lt=1655238120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223720.000000000, search_lt=1655238120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2981", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30457740, total_slices=1483542, decompressed_slices=512952, duration.command.search.index=15390, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=122198, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14098713, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:23:43.807, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238060_76006', total_run_time=26.73, event_count=0, result_count=0, available_count=0, scan_count=30460673, drop_count=0, exec_time=1655238109, api_et=1655223660.000000000, api_lt=1655238060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223660.000000000, search_lt=1655238060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30460673, total_slices=1481381, decompressed_slices=513005, duration.command.search.index=14243, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=112468, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14099126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:21:23.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655238000_75977', total_run_time=17.93, event_count=0, result_count=0, available_count=0, scan_count=30456221, drop_count=0, exec_time=1655238049, api_et=1655223600.000000000, api_lt=1655238000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223600.000000000, search_lt=1655238000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30456221, total_slices=1478786, decompressed_slices=512831, duration.command.search.index=12285, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81698, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14097686, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:20:23.988, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237940_75954', total_run_time=22.17, event_count=0, result_count=0, available_count=0, scan_count=30449873, drop_count=0, exec_time=1655237989, api_et=1655223540.000000000, api_lt=1655237940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223540.000000000, search_lt=1655237940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30449873, total_slices=1476848, decompressed_slices=512654, duration.command.search.index=11691, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95369, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14096812, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:19:23.958, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237880_75929', total_run_time=24.58, event_count=0, result_count=0, available_count=0, scan_count=30447035, drop_count=0, exec_time=1655237930, api_et=1655223480.000000000, api_lt=1655237880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223480.000000000, search_lt=1655237880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2347", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30447035, total_slices=1474782, decompressed_slices=512562, duration.command.search.index=14541, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116040, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14092261, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:18:23.655, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237820_75908', total_run_time=18.68, event_count=0, result_count=0, available_count=0, scan_count=30440841, drop_count=0, exec_time=1655237869, api_et=1655223420.000000000, api_lt=1655237820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223420.000000000, search_lt=1655237820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30440841, total_slices=1498284, decompressed_slices=512355, duration.command.search.index=12492, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88740, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14086507, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:17:50.208, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237760_75885', total_run_time=17.58, event_count=0, result_count=0, available_count=0, scan_count=30439715, drop_count=0, exec_time=1655237809, api_et=1655223360.000000000, api_lt=1655237760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223360.000000000, search_lt=1655237760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30439715, total_slices=1495893, decompressed_slices=512421, duration.command.search.index=11783, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83005, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14083002, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:16:23.694, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237700_75868', total_run_time=19.18, event_count=0, result_count=0, available_count=0, scan_count=30430022, drop_count=0, exec_time=1655237749, api_et=1655223300.000000000, api_lt=1655237700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223300.000000000, search_lt=1655237700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30430022, total_slices=1493863, decompressed_slices=512317, duration.command.search.index=12097, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88207, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14077700, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:16:23.670, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655237760_75879', total_run_time=9.41, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655237770, api_et=1655233560.000000000, api_lt=1655237160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655234160.000000000, search_lt=1655237772.944923000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3935", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_80d761fb12c10ae2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=984, eliminated_buckets=288, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=712, invocations.command.search.index.bucketcache.hit=984, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:15:23.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237640_75849', total_run_time=23.16, event_count=0, result_count=0, available_count=0, scan_count=30429552, drop_count=0, exec_time=1655237690, api_et=1655223240.000000000, api_lt=1655237640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223240.000000000, search_lt=1655237640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30429552, total_slices=1491538, decompressed_slices=512173, duration.command.search.index=11120, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85085, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14075965, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:14:53.705, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655237640_75835', total_run_time=5.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655237663, api_et=1655234040.000000000, api_lt=1655237640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655234040.000000000, search_lt=1655237665.482805000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=286, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=49, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 20:14:23.672, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237580_75825', total_run_time=26.93, event_count=0, result_count=0, available_count=0, scan_count=30422343, drop_count=0, exec_time=1655237629, api_et=1655223180.000000000, api_lt=1655237580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223180.000000000, search_lt=1655237580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30422343, total_slices=1489221, decompressed_slices=512159, duration.command.search.index=11773, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84986, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14071263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:13:59.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237520_75798', total_run_time=32.40, event_count=0, result_count=0, available_count=0, scan_count=30419121, drop_count=0, exec_time=1655237569, api_et=1655223120.000000000, api_lt=1655237520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223120.000000000, search_lt=1655237520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30419121, total_slices=1486952, decompressed_slices=512083, duration.command.search.index=13064, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99980, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14069682, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:13:58.942, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237460_75780', total_run_time=22.08, event_count=0, result_count=0, available_count=0, scan_count=30408783, drop_count=0, exec_time=1655237510, api_et=1655223060.000000000, api_lt=1655237460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223060.000000000, search_lt=1655237460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3210", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30408783, total_slices=1484623, decompressed_slices=511800, duration.command.search.index=11240, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84280, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14065638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:11:41.661, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237400_75755', total_run_time=30.81, event_count=0, result_count=0, available_count=0, scan_count=30398030, drop_count=0, exec_time=1655237449, api_et=1655223000.000000000, api_lt=1655237400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223000.000000000, search_lt=1655237400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=30398030, total_slices=1482257, decompressed_slices=511699, duration.command.search.index=12121, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86663, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14062563, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:11:11.548, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655237460_75762', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655237465, api_et=1655233860.000000000, api_lt=1655237460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655233860.000000000, search_lt=1655237467.303795000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3187", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_55a29dc80b4eda3e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:10:41.971, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237220_75702', total_run_time=30.01, event_count=0, result_count=0, available_count=0, scan_count=30368560, drop_count=0, exec_time=1655237269, api_et=1655222820.000000000, api_lt=1655237220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222820.000000000, search_lt=1655237220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30368560, total_slices=1501523, decompressed_slices=511268, duration.command.search.index=13292, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107464, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14053514, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:10:41.969, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237280_75719', total_run_time=34.81, event_count=0, result_count=0, available_count=0, scan_count=30376593, drop_count=0, exec_time=1655237329, api_et=1655222880.000000000, api_lt=1655237280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222880.000000000, search_lt=1655237280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30376593, total_slices=1503906, decompressed_slices=511416, duration.command.search.index=12858, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97562, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14057100, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:10:41.817, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655237340_75727', total_run_time=24.07, event_count=0, result_count=0, available_count=0, scan_count=4345670, drop_count=0, exec_time=1655237346, api_et=1655233140.000000000, api_lt=1655236740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655233140.000000000, search_lt=1655236740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3005", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ff1a56ee915214d8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=397, considered_events=4345670, total_slices=1073625, decompressed_slices=209510, duration.command.search.index=1843, invocations.command.search.index.bucketcache.hit=802, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35408, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:10:41.758, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655237220_75697', total_run_time=7.00, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655237246, api_et=1655233620.000000000, api_lt=1655237220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655233620.000000000, search_lt=1655237249.032467000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3291", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fba4e0670de37875", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=121, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 20:10:41.365, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237160_75682', total_run_time=17.34, event_count=0, result_count=0, available_count=0, scan_count=30357668, drop_count=0, exec_time=1655237209, api_et=1655222760.000000000, api_lt=1655237160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222760.000000000, search_lt=1655237160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30357668, total_slices=1499280, decompressed_slices=511151, duration.command.search.index=10915, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78453, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14050232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:10:40.882, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655237220_75705', total_run_time=18.11, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655237280, api_et=1655233620.000000000, api_lt=1655237220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655233620.000000000, search_lt=1655237282.491059000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3096", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=187, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 20:10:40.751, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237340_75735', total_run_time=31.64, event_count=0, result_count=0, available_count=0, scan_count=30389035, drop_count=0, exec_time=1655237389, api_et=1655222940.000000000, api_lt=1655237340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222940.000000000, search_lt=1655237340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30389035, total_slices=1506246, decompressed_slices=511572, duration.command.search.index=11719, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94948, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14060829, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:06:14.312, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237100_75668', total_run_time=17.36, event_count=0, result_count=0, available_count=0, scan_count=30352358, drop_count=0, exec_time=1655237150, api_et=1655222700.000000000, api_lt=1655237100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222700.000000000, search_lt=1655237100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30352358, total_slices=1496993, decompressed_slices=510994, duration.command.search.index=10961, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82020, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14046324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:05:14.284, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655237040_75650', total_run_time=18.94, event_count=0, result_count=0, available_count=0, scan_count=30341479, drop_count=0, exec_time=1655237089, api_et=1655222640.000000000, api_lt=1655237040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222640.000000000, search_lt=1655237040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30341479, total_slices=1494650, decompressed_slices=510724, duration.command.search.index=11690, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88422, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14040282, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:04:35.081, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655236980_75611', total_run_time=25.83, event_count=0, result_count=0, available_count=0, scan_count=30327475, drop_count=0, exec_time=1655237029, api_et=1655222580.000000000, api_lt=1655236980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222580.000000000, search_lt=1655236980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2797", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30327475, total_slices=1492339, decompressed_slices=510412, duration.command.search.index=14730, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107023, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14033843, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:04:14.679, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655236920_75564', total_run_time=24.08, event_count=0, result_count=0, available_count=0, scan_count=30312903, drop_count=0, exec_time=1655236970, api_et=1655222520.000000000, api_lt=1655236920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222520.000000000, search_lt=1655236920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30312903, total_slices=1489885, decompressed_slices=510134, duration.command.search.index=14316, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111336, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14028787, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:04:14.471, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655236860_75534', total_run_time=24.79, event_count=0, result_count=0, available_count=0, scan_count=30301313, drop_count=0, exec_time=1655236909, api_et=1655222460.000000000, api_lt=1655236860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222460.000000000, search_lt=1655236860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=30301313, total_slices=1487136, decompressed_slices=509810, duration.command.search.index=14392, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=119914, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14023701, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 20:01:33.725, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655236800_75504', total_run_time=31.80, event_count=0, result_count=0, available_count=0, scan_count=30295682, drop_count=0, exec_time=1655236850, api_et=1655222400.000000000, api_lt=1655236800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222400.000000000, search_lt=1655236800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=30295682, total_slices=1511200, decompressed_slices=509571, duration.command.search.index=15229, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=158822, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=14018003, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 19:45:08.868, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655235780_75217', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=3644, drop_count=0, exec_time=1655235818, api_et=1655232180.000000000, api_lt=1655235780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655232180.000000000, search_lt=1655235820.420576000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0f78e3fc716040f3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=3644, total_slices=959868, decompressed_slices=1528, duration.command.search.index=1161, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5058, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 19:42:14.227, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655235180_75013', total_run_time=306.06, event_count=0, result_count=0, available_count=0, scan_count=41461857, drop_count=0, exec_time=1655235205, api_et=1655231580.000000000, api_lt=1655235180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655231580.000000000, search_lt=1655235207.781411000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3910", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ad6ecb70b401686a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1796, eliminated_buckets=116, considered_events=41461857, total_slices=14412929, decompressed_slices=4535353, duration.command.search.index=14994, invocations.command.search.index.bucketcache.hit=1799, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=239729, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 19:16:44.931, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655234160_74674', total_run_time=7.76, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655234170, api_et=1655229960.000000000, api_lt=1655233560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655230560.000000000, search_lt=1655234172.197837000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3273", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3b1279b892639ae7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=980, eliminated_buckets=289, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=811, invocations.command.search.index.bucketcache.hit=980, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 19:14:45.082, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655234040_74634', total_run_time=5.10, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655234063, api_et=1655230440.000000000, api_lt=1655234040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655230440.000000000, search_lt=1655234065.965466000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2953", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=280, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=45, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 19:11:27.781, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655233860_74569', total_run_time=4.93, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655233865, api_et=1655230260.000000000, api_lt=1655233860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655230260.000000000, search_lt=1655233867.712039000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2994", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_40d7b420d192b1be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=44, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 19:10:59.201, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655233620_74513', total_run_time=6.14, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655233647, api_et=1655230020.000000000, api_lt=1655233620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655230020.000000000, search_lt=1655233649.062849000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3013", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a395849be726c3cf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=97, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 19:10:57.976, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655233620_74524', total_run_time=4.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655233684, api_et=1655230020.000000000, api_lt=1655233620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655230020.000000000, search_lt=1655233686.692982000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2884", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=109, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 19:10:57.511, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655233740_74537', total_run_time=18.98, event_count=1, result_count=1, available_count=0, scan_count=4473397, drop_count=0, exec_time=1655233746, api_et=1655229540.000000000, api_lt=1655233140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655229540.000000000, search_lt=1655233140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5725649271275f58", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=392, considered_events=4473397, total_slices=1115438, decompressed_slices=218144, duration.command.search.index=1786, invocations.command.search.index.bucketcache.hit=802, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34568, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:44:08.936, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655232180_74040', total_run_time=28.85, event_count=0, result_count=0, available_count=0, scan_count=3923, drop_count=0, exec_time=1655232218, api_et=1655228580.000000000, api_lt=1655232180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655228580.000000000, search_lt=1655232220.477005000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3184", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_840ac72e39793892", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=3923, total_slices=1028899, decompressed_slices=1525, duration.command.search.index=1256, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5085, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:43:17.873, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655231580_73833', total_run_time=324.36, event_count=0, result_count=0, available_count=0, scan_count=42138153, drop_count=0, exec_time=1655231606, api_et=1655227980.000000000, api_lt=1655231580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655227980.000000000, search_lt=1655231608.091207000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3527", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b20e243edc664dbe", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1833, eliminated_buckets=116, considered_events=42138153, total_slices=14529070, decompressed_slices=4595530, duration.command.search.index=16483, invocations.command.search.index.bucketcache.hit=1832, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=287407, invocations.command.search.rawdata.bucketcache.hit=326, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:16:37.800, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655230560_73456', total_run_time=12.27, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1655230570, api_et=1655226360.000000000, api_lt=1655229960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655226960.000000000, search_lt=1655230572.757373000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3377", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0f7a3bed415dfc64", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=987, eliminated_buckets=290, considered_events=3, total_slices=16076, decompressed_slices=1, duration.command.search.index=1431, invocations.command.search.index.bucketcache.hit=986, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=251, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:14:37.531, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655230440_73410', total_run_time=4.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655230463, api_et=1655226840.000000000, api_lt=1655230440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655226840.000000000, search_lt=1655230465.401016000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=278, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=82, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 18:11:37.834, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655230260_73336', total_run_time=4.85, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655230265, api_et=1655226660.000000000, api_lt=1655230260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655226660.000000000, search_lt=1655230267.066249000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2842", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f86ae096188347e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:09:37.075, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655230020_73277', total_run_time=4.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655230046, api_et=1655226420.000000000, api_lt=1655230020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655226420.000000000, search_lt=1655230047.914269000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d990dd30807b8e8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=106, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:09:36.927, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655230140_73303', total_run_time=25.78, event_count=0, result_count=0, available_count=0, scan_count=4595543, drop_count=0, exec_time=1655230145, api_et=1655225940.000000000, api_lt=1655229540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655225940.000000000, search_lt=1655229540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3105", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5b408c9bc1578032", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=392, considered_events=4595543, total_slices=1189892, decompressed_slices=218118, duration.command.search.index=1911, invocations.command.search.index.bucketcache.hit=797, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34690, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=120, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 18:09:36.506, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655230020_73288', total_run_time=4.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655230084, api_et=1655226420.000000000, api_lt=1655230020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655226420.000000000, search_lt=1655230086.860344000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2983", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=99, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 17:46:00.528, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655228580_72813', total_run_time=22.24, event_count=0, result_count=0, available_count=0, scan_count=3696, drop_count=0, exec_time=1655228618, api_et=1655224980.000000000, api_lt=1655228580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224980.000000000, search_lt=1655228620.256960000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9aa20b843630ba1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3696, total_slices=966767, decompressed_slices=1215, duration.command.search.index=1223, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5076, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:42:57.892, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655227980_72612', total_run_time=323.20, event_count=0, result_count=0, available_count=0, scan_count=40449497, drop_count=0, exec_time=1655228006, api_et=1655224380.000000000, api_lt=1655227980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655224380.000000000, search_lt=1655228008.110967000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3750", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc07bd67d8a3de72", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1803, eliminated_buckets=109, considered_events=40449497, total_slices=14325318, decompressed_slices=4430198, duration.command.search.index=24920, invocations.command.search.index.bucketcache.hit=1806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=291692, invocations.command.search.rawdata.bucketcache.hit=314, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:16:43.388, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655226960_72273', total_run_time=10.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655226970, api_et=1655222760.000000000, api_lt=1655226360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223360.000000000, search_lt=1655226972.103850000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3167", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a9c87144e5bd6f1d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=990, eliminated_buckets=288, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1135, invocations.command.search.index.bucketcache.hit=989, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:14:43.308, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655226840_72232', total_run_time=7.77, event_count=0, result_count=0, available_count=0, scan_count=12359, drop_count=0, exec_time=1655226863, api_et=1655223240.000000000, api_lt=1655226840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223240.000000000, search_lt=1655226865.854034000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=451, eliminated_buckets=298, considered_events=12359, total_slices=720089, decompressed_slices=5518, duration.command.search.index=1558, invocations.command.search.index.bucketcache.hit=451, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6901, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=18, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=136, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=346, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=85, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=129, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 17:11:13.506, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655226660_72167', total_run_time=5.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655226665, api_et=1655223060.000000000, api_lt=1655226660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655223060.000000000, search_lt=1655226667.244459000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3156", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f35b0ad30f0e2c71", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=47, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:09:43.557, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655226540_72136', total_run_time=19.73, event_count=0, result_count=0, available_count=0, scan_count=4686758, drop_count=0, exec_time=1655226546, api_et=1655222340.000000000, api_lt=1655225940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222340.000000000, search_lt=1655225940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2993", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9eff8a6ab7ddd054", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=776, eliminated_buckets=378, considered_events=4686758, total_slices=1200919, decompressed_slices=221759, duration.command.search.index=1949, invocations.command.search.index.bucketcache.hit=775, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36485, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:08:43.539, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655226420_72118', total_run_time=18.66, event_count=919, result_count=56, available_count=0, scan_count=224083, drop_count=0, exec_time=1655226480, api_et=1655222820.000000000, api_lt=1655226420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222820.000000000, search_lt=1655226482.332267000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=449, eliminated_buckets=220, considered_events=225636, total_slices=825889, decompressed_slices=144502, duration.command.search.index=4809, invocations.command.search.index.bucketcache.hit=448, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34649, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=179904, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=14102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 17:07:54.407, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655226420_72112', total_run_time=10.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655226446, api_et=1655222820.000000000, api_lt=1655226420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655222820.000000000, search_lt=1655226448.761966000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2909", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4c00ba74b3fbe6b8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=449, eliminated_buckets=220, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1879, invocations.command.search.index.bucketcache.hit=448, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 17:01:09.677, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225940_71923', total_run_time=55.88, event_count=0, result_count=0, available_count=0, scan_count=25670458, drop_count=0, exec_time=1655225990, api_et=1655211540.000000000, api_lt=1655225940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211540.000000000, search_lt=1655225940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3181", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25670458, total_slices=1288958, decompressed_slices=442234, duration.command.search.index=10324, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89813, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12570385, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:59:50.948, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225760_71875', total_run_time=15.91, event_count=0, result_count=0, available_count=0, scan_count=25600738, drop_count=0, exec_time=1655225810, api_et=1655211360.000000000, api_lt=1655225760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211360.000000000, search_lt=1655225760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25600738, total_slices=1282022, decompressed_slices=440874, duration.command.search.index=9318, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65322, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12565470, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:59:50.587, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225880_71910', total_run_time=25.39, event_count=0, result_count=0, available_count=0, scan_count=25651599, drop_count=0, exec_time=1655225929, api_et=1655211480.000000000, api_lt=1655225880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211480.000000000, search_lt=1655225880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3081", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25651599, total_slices=1286652, decompressed_slices=441864, duration.command.search.index=9506, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74373, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12570850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:59:50.004, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225820_71894', total_run_time=21.69, event_count=0, result_count=0, available_count=0, scan_count=25627287, drop_count=0, exec_time=1655225869, api_et=1655211420.000000000, api_lt=1655225820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211420.000000000, search_lt=1655225820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25627287, total_slices=1284164, decompressed_slices=441325, duration.command.search.index=11108, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76754, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12568461, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:56:07.884, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225700_71864', total_run_time=16.10, event_count=0, result_count=0, available_count=0, scan_count=25576115, drop_count=0, exec_time=1655225749, api_et=1655211300.000000000, api_lt=1655225700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211300.000000000, search_lt=1655225700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25576115, total_slices=1279868, decompressed_slices=440515, duration.command.search.index=9976, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66444, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12562881, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:55:56.418, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225640_71848', total_run_time=17.46, event_count=0, result_count=0, available_count=0, scan_count=25556567, drop_count=0, exec_time=1655225689, api_et=1655211240.000000000, api_lt=1655225640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211240.000000000, search_lt=1655225640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25556567, total_slices=1277647, decompressed_slices=440291, duration.command.search.index=9959, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65127, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12561989, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:55:55.359, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225580_71831', total_run_time=16.22, event_count=0, result_count=0, available_count=0, scan_count=25533480, drop_count=0, exec_time=1655225629, api_et=1655211180.000000000, api_lt=1655225580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211180.000000000, search_lt=1655225580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3253", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25533480, total_slices=1275691, decompressed_slices=439918, duration.command.search.index=10079, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68208, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12559807, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:53:07.109, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225520_71807', total_run_time=17.00, event_count=0, result_count=0, available_count=0, scan_count=25509926, drop_count=0, exec_time=1655225569, api_et=1655211120.000000000, api_lt=1655225520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211120.000000000, search_lt=1655225520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25509926, total_slices=1273391, decompressed_slices=439563, duration.command.search.index=10569, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72407, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12556475, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:53:05.973, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225400_71766', total_run_time=17.31, event_count=0, result_count=0, available_count=0, scan_count=25459752, drop_count=0, exec_time=1655225449, api_et=1655211000.000000000, api_lt=1655225400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211000.000000000, search_lt=1655225400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25459752, total_slices=1269140, decompressed_slices=438783, duration.command.search.index=11056, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76854, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12547916, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:53:05.236, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225460_71790', total_run_time=18.09, event_count=0, result_count=0, available_count=0, scan_count=25483175, drop_count=0, exec_time=1655225510, api_et=1655211060.000000000, api_lt=1655225460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211060.000000000, search_lt=1655225460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25483175, total_slices=1271241, decompressed_slices=439141, duration.command.search.index=11061, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72548, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12552161, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:53:03.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225340_71743', total_run_time=15.76, event_count=0, result_count=0, available_count=0, scan_count=25436416, drop_count=0, exec_time=1655225389, api_et=1655210940.000000000, api_lt=1655225340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210940.000000000, search_lt=1655225340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25436416, total_slices=1266943, decompressed_slices=438501, duration.command.search.index=9364, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66748, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12545336, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:49:07.117, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225280_71720', total_run_time=17.08, event_count=0, result_count=0, available_count=0, scan_count=25409095, drop_count=0, exec_time=1655225329, api_et=1655210880.000000000, api_lt=1655225280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210880.000000000, search_lt=1655225280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25409095, total_slices=1264882, decompressed_slices=438084, duration.command.search.index=10560, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72724, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12541203, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:48:16.568, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225040_71642', total_run_time=18.53, event_count=0, result_count=0, available_count=0, scan_count=25302205, drop_count=0, exec_time=1655225089, api_et=1655210640.000000000, api_lt=1655225040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210640.000000000, search_lt=1655225040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25302205, total_slices=1256146, decompressed_slices=436493, duration.command.search.index=9609, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70775, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12528589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:48:16.232, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225160_71682', total_run_time=16.32, event_count=0, result_count=0, available_count=0, scan_count=25357468, drop_count=0, exec_time=1655225209, api_et=1655210760.000000000, api_lt=1655225160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210760.000000000, search_lt=1655225160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25357468, total_slices=1260401, decompressed_slices=437255, duration.command.search.index=9865, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68090, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12535703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:48:15.454, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225220_71704', total_run_time=15.40, event_count=0, result_count=0, available_count=0, scan_count=25385140, drop_count=0, exec_time=1655225269, api_et=1655210820.000000000, api_lt=1655225220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210820.000000000, search_lt=1655225220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25385140, total_slices=1262609, decompressed_slices=437701, duration.command.search.index=9438, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65037, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12539256, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:48:13.783, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655225100_71664', total_run_time=16.60, event_count=0, result_count=0, available_count=0, scan_count=25329865, drop_count=0, exec_time=1655225149, api_et=1655210700.000000000, api_lt=1655225100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210700.000000000, search_lt=1655225100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25329865, total_slices=1258342, decompressed_slices=436950, duration.command.search.index=9552, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63867, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12532664, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:44:10.140, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224980_71621', total_run_time=18.42, event_count=0, result_count=0, available_count=0, scan_count=25274010, drop_count=0, exec_time=1655225030, api_et=1655210580.000000000, api_lt=1655224980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210580.000000000, search_lt=1655224980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3143", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25274010, total_slices=1253943, decompressed_slices=436071, duration.command.search.index=9111, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66934, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12525861, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:44:10.136, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655224980_71618', total_run_time=27.27, event_count=0, result_count=0, available_count=0, scan_count=3399, drop_count=0, exec_time=1655225018, api_et=1655221380.000000000, api_lt=1655224980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655221380.000000000, search_lt=1655225020.657062000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3164", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_edf4e32cb87f4c3c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3399, total_slices=884039, decompressed_slices=1055, duration.command.search.index=1236, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5083, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:43:55.127, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224920_71593', total_run_time=22.78, event_count=0, result_count=0, available_count=0, scan_count=25250323, drop_count=0, exec_time=1655224970, api_et=1655210520.000000000, api_lt=1655224920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210520.000000000, search_lt=1655224920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25250323, total_slices=1251776, decompressed_slices=435658, duration.command.search.index=10512, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72924, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12523969, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:43:53.988, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224800_71545', total_run_time=28.65, event_count=0, result_count=0, available_count=0, scan_count=25201467, drop_count=0, exec_time=1655224849, api_et=1655210400.000000000, api_lt=1655224800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210400.000000000, search_lt=1655224800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2821", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25201467, total_slices=1247541, decompressed_slices=434826, duration.command.search.index=10701, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77022, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12519233, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:43:52.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224740_71523', total_run_time=32.20, event_count=0, result_count=0, available_count=0, scan_count=25178436, drop_count=0, exec_time=1655224789, api_et=1655210340.000000000, api_lt=1655224740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210340.000000000, search_lt=1655224740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25178436, total_slices=1271441, decompressed_slices=434551, duration.command.search.index=9295, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82246, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12516608, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:43:52.083, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224860_71569', total_run_time=23.79, event_count=0, result_count=0, available_count=0, scan_count=25222506, drop_count=0, exec_time=1655224909, api_et=1655210460.000000000, api_lt=1655224860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210460.000000000, search_lt=1655224860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25222506, total_slices=1249591, decompressed_slices=435218, duration.command.search.index=11265, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75214, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12521254, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:39:12.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224680_71507', total_run_time=15.98, event_count=0, result_count=0, available_count=0, scan_count=25152563, drop_count=0, exec_time=1655224730, api_et=1655210280.000000000, api_lt=1655224680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210280.000000000, search_lt=1655224680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25152563, total_slices=1269265, decompressed_slices=434152, duration.command.search.index=9424, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67298, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12513200, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:39:04.709, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655224380_71399', total_run_time=337.18, event_count=0, result_count=0, available_count=0, scan_count=40714100, drop_count=0, exec_time=1655224405, api_et=1655220780.000000000, api_lt=1655224380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655220780.000000000, search_lt=1655224407.505386000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4177", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d0841f4ec6a9aae4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1798, eliminated_buckets=107, considered_events=40714100, total_slices=14134007, decompressed_slices=4471889, duration.command.search.index=16009, invocations.command.search.index.bucketcache.hit=1800, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=298315, invocations.command.search.rawdata.bucketcache.hit=297, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:38:49.716, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224560_71478', total_run_time=21.98, event_count=0, result_count=0, available_count=0, scan_count=25107326, drop_count=0, exec_time=1655224610, api_et=1655210160.000000000, api_lt=1655224560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210160.000000000, search_lt=1655224560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25107326, total_slices=1264906, decompressed_slices=433362, duration.command.search.index=10233, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70471, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12504929, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:38:49.408, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224260_71346', total_run_time=34.99, event_count=0, result_count=0, available_count=0, scan_count=24968978, drop_count=0, exec_time=1655224309, api_et=1655209860.000000000, api_lt=1655224260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209860.000000000, search_lt=1655224260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24968978, total_slices=1254056, decompressed_slices=431256, duration.command.search.index=17073, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=192674, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12473279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:38:46.487, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224440_71447', total_run_time=37.03, event_count=0, result_count=0, available_count=0, scan_count=25054304, drop_count=0, exec_time=1655224490, api_et=1655210040.000000000, api_lt=1655224440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210040.000000000, search_lt=1655224440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3240", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25054304, total_slices=1260723, decompressed_slices=432596, duration.command.search.index=11246, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83819, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12495564, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:38:46.043, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224320_71376', total_run_time=58.71, event_count=0, result_count=0, available_count=0, scan_count=24997656, drop_count=0, exec_time=1655224369, api_et=1655209920.000000000, api_lt=1655224320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209920.000000000, search_lt=1655224320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3264", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24997656, total_slices=1256181, decompressed_slices=431679, duration.command.search.index=15222, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=144705, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12481560, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:38:45.908, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224620_71493', total_run_time=19.49, event_count=0, result_count=0, available_count=0, scan_count=25130487, drop_count=0, exec_time=1655224670, api_et=1655210220.000000000, api_lt=1655224620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210220.000000000, search_lt=1655224620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25130487, total_slices=1267124, decompressed_slices=433765, duration.command.search.index=9767, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67839, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12509406, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:38:43.682, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224500_71468', total_run_time=31.51, event_count=0, result_count=0, available_count=0, scan_count=25080102, drop_count=0, exec_time=1655224550, api_et=1655210100.000000000, api_lt=1655224500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210100.000000000, search_lt=1655224500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=25080102, total_slices=1262829, decompressed_slices=432952, duration.command.search.index=10224, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80782, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12500181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:31:29.256, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224200_71319', total_run_time=27.42, event_count=0, result_count=0, available_count=0, scan_count=24939353, drop_count=0, exec_time=1655224249, api_et=1655209800.000000000, api_lt=1655224200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209800.000000000, search_lt=1655224200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2991", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24939353, total_slices=1251955, decompressed_slices=430785, duration.command.search.index=13654, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=124598, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12465871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:31:03.910, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224140_71290', total_run_time=17.21, event_count=0, result_count=0, available_count=0, scan_count=24908615, drop_count=0, exec_time=1655224190, api_et=1655209740.000000000, api_lt=1655224140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209740.000000000, search_lt=1655224140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24908615, total_slices=1249534, decompressed_slices=430559, duration.command.search.index=9214, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74757, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12458415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:31:02.550, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223960_71244', total_run_time=14.37, event_count=0, result_count=0, available_count=0, scan_count=24835069, drop_count=0, exec_time=1655224010, api_et=1655209560.000000000, api_lt=1655223960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209560.000000000, search_lt=1655223960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24835069, total_slices=1268869, decompressed_slices=429515, duration.command.search.index=8996, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65156, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12440461, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:31:02.445, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224020_71262', total_run_time=14.45, event_count=0, result_count=0, available_count=0, scan_count=24856598, drop_count=0, exec_time=1655224069, api_et=1655209620.000000000, api_lt=1655224020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209620.000000000, search_lt=1655224020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2180", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24856598, total_slices=1245009, decompressed_slices=429844, duration.command.search.index=9314, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65412, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12446745, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:31:02.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655224080_71276', total_run_time=17.38, event_count=0, result_count=0, available_count=0, scan_count=24881688, drop_count=0, exec_time=1655224130, api_et=1655209680.000000000, api_lt=1655224080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209680.000000000, search_lt=1655224080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24881688, total_slices=1247419, decompressed_slices=430135, duration.command.search.index=9411, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67017, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12452561, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:26:10.482, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223900_71228', total_run_time=14.27, event_count=0, result_count=0, available_count=0, scan_count=24805861, drop_count=0, exec_time=1655223949, api_et=1655209500.000000000, api_lt=1655223900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209500.000000000, search_lt=1655223900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24805861, total_slices=1266084, decompressed_slices=429045, duration.command.search.index=8789, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64710, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12433199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:25:11.460, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223840_71214', total_run_time=16.02, event_count=0, result_count=0, available_count=0, scan_count=24778989, drop_count=0, exec_time=1655223889, api_et=1655209440.000000000, api_lt=1655223840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209440.000000000, search_lt=1655223840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2891", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24778989, total_slices=1264343, decompressed_slices=428756, duration.command.search.index=9663, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67741, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12427192, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:24:10.929, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223780_71196', total_run_time=16.19, event_count=0, result_count=0, available_count=0, scan_count=24752577, drop_count=0, exec_time=1655223829, api_et=1655209380.000000000, api_lt=1655223780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209380.000000000, search_lt=1655223780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24752577, total_slices=1262357, decompressed_slices=428381, duration.command.search.index=8834, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61957, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12423355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:23:11.242, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223720_71164', total_run_time=16.89, event_count=0, result_count=0, available_count=0, scan_count=24724479, drop_count=0, exec_time=1655223769, api_et=1655209320.000000000, api_lt=1655223720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209320.000000000, search_lt=1655223720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3363", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24724479, total_slices=1260235, decompressed_slices=427904, duration.command.search.index=9059, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67621, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12419137, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:22:27.202, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223660_71148', total_run_time=18.37, event_count=0, result_count=0, available_count=0, scan_count=24699061, drop_count=0, exec_time=1655223709, api_et=1655209260.000000000, api_lt=1655223660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209260.000000000, search_lt=1655223660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24699061, total_slices=1258161, decompressed_slices=427466, duration.command.search.index=11378, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79090, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12413720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:22:00.907, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223420_71048', total_run_time=17.07, event_count=0, result_count=0, available_count=0, scan_count=24606531, drop_count=0, exec_time=1655223469, api_et=1655209020.000000000, api_lt=1655223420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209020.000000000, search_lt=1655223420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24606531, total_slices=1249555, decompressed_slices=425996, duration.command.search.index=10150, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71290, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12400730, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:22:00.398, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223540_71094', total_run_time=20.72, event_count=0, result_count=0, available_count=0, scan_count=24655016, drop_count=0, exec_time=1655223590, api_et=1655209140.000000000, api_lt=1655223540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209140.000000000, search_lt=1655223540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24655016, total_slices=1253817, decompressed_slices=426762, duration.command.search.index=9567, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74438, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12407472, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:21:59.942, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655223600_71121', total_run_time=19.06, event_count=12410513, result_count=15, available_count=0, scan_count=24677183, drop_count=0, exec_time=1655223657, api_et=1655209200.000000000, api_lt=1655223600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209200.000000000, search_lt=1655223600.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2544", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24677183, total_slices=1256318, decompressed_slices=427044, duration.command.search.index=11793, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79784, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12410513, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:21:59.285, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223480_71068', total_run_time=16.68, event_count=0, result_count=0, available_count=0, scan_count=24628202, drop_count=0, exec_time=1655223529, api_et=1655209080.000000000, api_lt=1655223480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209080.000000000, search_lt=1655223480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24628202, total_slices=1251838, decompressed_slices=426324, duration.command.search.index=10143, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72998, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12403400, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:21:58.627, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223600_71118', total_run_time=19.72, event_count=0, result_count=0, available_count=0, scan_count=24677185, drop_count=0, exec_time=1655223649, api_et=1655209200.000000000, api_lt=1655223600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209200.000000000, search_lt=1655223600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2837", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24677185, total_slices=1256026, decompressed_slices=427044, duration.command.search.index=10713, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80262, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12410513, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:21:58.456, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223360_71024', total_run_time=15.50, event_count=0, result_count=0, available_count=0, scan_count=24582256, drop_count=0, exec_time=1655223409, api_et=1655208960.000000000, api_lt=1655223360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208960.000000000, search_lt=1655223360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24582256, total_slices=1247151, decompressed_slices=425643, duration.command.search.index=9036, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66405, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12395970, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:16:33.995, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223300_71007', total_run_time=16.17, event_count=0, result_count=0, available_count=0, scan_count=24558673, drop_count=0, exec_time=1655223349, api_et=1655208900.000000000, api_lt=1655223300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208900.000000000, search_lt=1655223300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2922", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24558673, total_slices=1245352, decompressed_slices=425231, duration.command.search.index=8990, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66568, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12391147, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:16:33.945, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655223360_71018', total_run_time=15.28, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655223370, api_et=1655219160.000000000, api_lt=1655222760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655219760.000000000, search_lt=1655223372.528893000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3992", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_14359fb9e05b0923", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=987, eliminated_buckets=288, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1307, invocations.command.search.index.bucketcache.hit=987, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:15:33.529, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223240_70988', total_run_time=14.24, event_count=0, result_count=0, available_count=0, scan_count=24534500, drop_count=0, exec_time=1655223290, api_et=1655208840.000000000, api_lt=1655223240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208840.000000000, search_lt=1655223240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24534500, total_slices=1243135, decompressed_slices=424897, duration.command.search.index=8649, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63349, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12385522, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:14:33.625, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655223240_70975', total_run_time=5.48, event_count=0, result_count=0, available_count=0, scan_count=19872, drop_count=0, exec_time=1655223263, api_et=1655219640.000000000, api_lt=1655223240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655219640.000000000, search_lt=1655223264.945731000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=430, eliminated_buckets=287, considered_events=20382, total_slices=763740, decompressed_slices=5670, duration.command.search.index=1508, invocations.command.search.index.bucketcache.hit=430, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6480, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=95, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=559, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1463, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=352, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=606, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 16:14:03.817, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223180_70965', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=24511571, drop_count=0, exec_time=1655223229, api_et=1655208780.000000000, api_lt=1655223180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208780.000000000, search_lt=1655223180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24511571, total_slices=1241058, decompressed_slices=424521, duration.command.search.index=8628, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64305, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12380624, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:13:33.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223120_70938', total_run_time=23.60, event_count=0, result_count=0, available_count=0, scan_count=24486910, drop_count=0, exec_time=1655223169, api_et=1655208720.000000000, api_lt=1655223120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208720.000000000, search_lt=1655223120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24486910, total_slices=1239011, decompressed_slices=424041, duration.command.search.index=11274, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107777, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12373139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:12:44.951, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223060_70920', total_run_time=15.41, event_count=0, result_count=0, available_count=0, scan_count=24467530, drop_count=0, exec_time=1655223110, api_et=1655208660.000000000, api_lt=1655223060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208660.000000000, search_lt=1655223060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3272", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24467530, total_slices=1236901, decompressed_slices=423698, duration.command.search.index=8981, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64915, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12368263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:11:33.628, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655223000_70893', total_run_time=17.82, event_count=0, result_count=0, available_count=0, scan_count=24450201, drop_count=0, exec_time=1655223049, api_et=1655208600.000000000, api_lt=1655223000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208600.000000000, search_lt=1655223000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3298", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24450201, total_slices=1234789, decompressed_slices=423391, duration.command.search.index=9082, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66811, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12365386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:11:33.622, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655223060_70902', total_run_time=4.86, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655223065, api_et=1655219460.000000000, api_lt=1655223060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655219460.000000000, search_lt=1655223066.880608000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b96dd44a01ac3ba1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:10:24.229, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222940_70875', total_run_time=16.03, event_count=0, result_count=0, available_count=0, scan_count=24427887, drop_count=0, exec_time=1655222989, api_et=1655208540.000000000, api_lt=1655222940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208540.000000000, search_lt=1655222940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24427887, total_slices=1232682, decompressed_slices=422964, duration.command.search.index=8802, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64745, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12359747, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:10:05.619, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222820_70842', total_run_time=22.90, event_count=0, result_count=0, available_count=0, scan_count=24383233, drop_count=0, exec_time=1655222870, api_et=1655208420.000000000, api_lt=1655222820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208420.000000000, search_lt=1655222820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=24383233, total_slices=1228533, decompressed_slices=422284, duration.command.search.index=12061, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87707, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12349975, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:10:05.077, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655222820_70837', total_run_time=5.88, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655222846, api_et=1655219220.000000000, api_lt=1655222820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655219220.000000000, search_lt=1655222848.814500000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f541d73c6313cc2d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=210, considered_events=1, total_slices=611, decompressed_slices=1, duration.command.search.index=1008, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=169, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:10:04.562, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655222820_70851', total_run_time=18.95, event_count=1167, result_count=62, available_count=0, scan_count=589300, drop_count=0, exec_time=1655222885, api_et=1655219220.000000000, api_lt=1655222820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655219220.000000000, search_lt=1655222886.917892000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=210, considered_events=594646, total_slices=675305, decompressed_slices=145618, duration.command.search.index=5924, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50560, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=450612, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=51071, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 16:10:04.359, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655222940_70867', total_run_time=24.14, event_count=0, result_count=0, available_count=0, scan_count=4632151, drop_count=0, exec_time=1655222946, api_et=1655218740.000000000, api_lt=1655222340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655218740.000000000, search_lt=1655222340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4dcc1e9d2093066b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=407, considered_events=4632151, total_slices=1158238, decompressed_slices=216963, duration.command.search.index=1898, invocations.command.search.index.bucketcache.hit=796, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34969, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=95, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 16:10:04.351, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222760_70821', total_run_time=21.89, event_count=0, result_count=0, available_count=0, scan_count=24362127, drop_count=0, exec_time=1655222810, api_et=1655208360.000000000, api_lt=1655222760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208360.000000000, search_lt=1655222760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=24362127, total_slices=1226537, decompressed_slices=421907, duration.command.search.index=12019, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96031, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12345520, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:10:04.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222880_70859', total_run_time=14.42, event_count=0, result_count=0, available_count=0, scan_count=24405439, drop_count=0, exec_time=1655222929, api_et=1655208480.000000000, api_lt=1655222880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208480.000000000, search_lt=1655222880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=24405439, total_slices=1229990, decompressed_slices=422630, duration.command.search.index=9308, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64670, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12354704, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:06:16.990, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222700_70807', total_run_time=16.40, event_count=0, result_count=0, available_count=0, scan_count=24339588, drop_count=0, exec_time=1655222750, api_et=1655208300.000000000, api_lt=1655222700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208300.000000000, search_lt=1655222700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3184", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=24339588, total_slices=1224387, decompressed_slices=421527, duration.command.search.index=9018, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67650, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12341690, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:05:34.031, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222640_70790', total_run_time=17.68, event_count=0, result_count=0, available_count=0, scan_count=24319367, drop_count=0, exec_time=1655222690, api_et=1655208240.000000000, api_lt=1655222640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208240.000000000, search_lt=1655222640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24319367, total_slices=1222133, decompressed_slices=421204, duration.command.search.index=9957, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74094, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12339136, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:05:08.540, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222580_70749', total_run_time=28.80, event_count=0, result_count=0, available_count=0, scan_count=24303950, drop_count=0, exec_time=1655222629, api_et=1655208180.000000000, api_lt=1655222580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208180.000000000, search_lt=1655222580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24303950, total_slices=1220083, decompressed_slices=421010, duration.command.search.index=13210, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103769, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12338727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:05:08.494, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222520_70703', total_run_time=19.57, event_count=0, result_count=0, available_count=0, scan_count=24284092, drop_count=0, exec_time=1655222569, api_et=1655208120.000000000, api_lt=1655222520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208120.000000000, search_lt=1655222520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24284092, total_slices=1217981, decompressed_slices=420597, duration.command.search.index=11399, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89000, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12335238, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:05:07.579, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222460_70672', total_run_time=17.48, event_count=0, result_count=0, available_count=0, scan_count=24262729, drop_count=0, exec_time=1655222509, api_et=1655208060.000000000, api_lt=1655222460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208060.000000000, search_lt=1655222460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24262729, total_slices=1215916, decompressed_slices=420271, duration.command.search.index=10684, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82039, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12335382, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 16:01:34.179, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655222400_70642', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=24241926, drop_count=0, exec_time=1655222449, api_et=1655208000.000000000, api_lt=1655222400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208000.000000000, search_lt=1655222400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24241926, total_slices=1213362, decompressed_slices=419990, duration.command.search.index=11304, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94938, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12335324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 15:44:26.859, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655221380_70347', total_run_time=22.00, event_count=0, result_count=0, available_count=0, scan_count=2901, drop_count=0, exec_time=1655221418, api_et=1655217780.000000000, api_lt=1655221380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655217780.000000000, search_lt=1655221420.165449000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_26169bc242c265ce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=2901, total_slices=924369, decompressed_slices=811, duration.command.search.index=1117, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4779, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 15:41:26.663, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655220780_70144', total_run_time=475.57, event_count=0, result_count=0, available_count=0, scan_count=40208836, drop_count=0, exec_time=1655220806, api_et=1655217180.000000000, api_lt=1655220780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655217180.000000000, search_lt=1655220808.431103000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3840", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_946ba1b5e5fc57de", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1792, eliminated_buckets=107, considered_events=40208836, total_slices=14362079, decompressed_slices=4420245, duration.command.search.index=14949, invocations.command.search.index.bucketcache.hit=1795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236732, invocations.command.search.rawdata.bucketcache.hit=300, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 15:17:55.303, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655219640_69784', total_run_time=20.41, event_count=0, result_count=0, available_count=0, scan_count=16718, drop_count=0, exec_time=1655219830, api_et=1655216040.000000000, api_lt=1655219640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655216040.000000000, search_lt=1655219833.648740000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="4196", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=282, considered_events=17284, total_slices=765201, decompressed_slices=4602, duration.command.search.index=3012, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21430, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=74, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=484, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1259, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=297, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=565, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=18, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 15:17:54.008, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655219760_69800', total_run_time=9.06, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655219839, api_et=1655215560.000000000, api_lt=1655219160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655216160.000000000, search_lt=1655219841.295711000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4583", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d65671b5ecf8c255", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=986, eliminated_buckets=289, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=892, invocations.command.search.index.bucketcache.hit=986, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 15:11:42.148, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655219340_69685', total_run_time=49.61, event_count=0, result_count=0, available_count=0, scan_count=4609847, drop_count=0, exec_time=1655219444, api_et=1655215140.000000000, api_lt=1655218740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655215140.000000000, search_lt=1655218740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3588", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2aa6516452c93a98", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=771, eliminated_buckets=382, considered_events=4609847, total_slices=1266517, decompressed_slices=215843, duration.command.search.index=2635, invocations.command.search.index.bucketcache.hit=771, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62995, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=55, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 15:11:40.514, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655219220_69678', total_run_time=35.49, event_count=1267, result_count=57, available_count=0, scan_count=541691, drop_count=0, exec_time=1655219442, api_et=1655215620.000000000, api_lt=1655219220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655215620.000000000, search_lt=1655219445.605021000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="4043", has_error_msg=false, fully_completed_search=false, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=209, considered_events=546841, total_slices=564993, decompressed_slices=125853, duration.command.search.index=14353, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=141122, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=426676, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42554, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 15:11:11.169, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655219460_69709', total_run_time=4.54, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655219465, api_et=1655215860.000000000, api_lt=1655219460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655215860.000000000, search_lt=1655219467.329782000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3019", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6c04b6ccce5f805d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=69, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 15:11:10.069, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655219220_69671', total_run_time=17.88, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655219441, api_et=1655215620.000000000, api_lt=1655219220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655215620.000000000, search_lt=1655219444.123381000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="4130", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_42394ffce5a7d2d3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=209, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2997, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:45:51.004, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655217780_69184', total_run_time=21.67, event_count=0, result_count=0, available_count=0, scan_count=2693, drop_count=0, exec_time=1655217818, api_et=1655214180.000000000, api_lt=1655217780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655214180.000000000, search_lt=1655217820.882235000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2982", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bceab651d598f7ac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=2693, total_slices=859483, decompressed_slices=761, duration.command.search.index=1116, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4946, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:38:41.165, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655217180_68977', total_run_time=38.26, event_count=0, result_count=0, available_count=0, scan_count=42154639, drop_count=0, exec_time=1655217206, api_et=1655213580.000000000, api_lt=1655217180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655213580.000000000, search_lt=1655217208.469339000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3905", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba896c3557f5634a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1807, eliminated_buckets=106, considered_events=42154639, total_slices=14627590, decompressed_slices=4604953, duration.command.search.index=15346, invocations.command.search.index.bucketcache.hit=1806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=244251, invocations.command.search.rawdata.bucketcache.hit=331, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:16:30.215, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655216160_68625', total_run_time=9.37, event_count=0, result_count=0, available_count=0, scan_count=65, drop_count=0, exec_time=1655216170, api_et=1655211960.000000000, api_lt=1655215560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655212560.000000000, search_lt=1655216172.356246000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d2756e9cccf13eb2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=987, eliminated_buckets=291, considered_events=65, total_slices=64057, decompressed_slices=10, duration.command.search.index=829, invocations.command.search.index.bucketcache.hit=987, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=729, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:14:29.850, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655216040_68585', total_run_time=5.15, event_count=0, result_count=0, available_count=0, scan_count=21122, drop_count=0, exec_time=1655216063, api_et=1655212440.000000000, api_lt=1655216040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655212440.000000000, search_lt=1655216064.969502000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=284, considered_events=22018, total_slices=791496, decompressed_slices=4525, duration.command.search.index=1371, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6245, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=64, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=347, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1071, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=231, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=397, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=16, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 14:11:29.708, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655215860_68518', total_run_time=4.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655215864, api_et=1655212260.000000000, api_lt=1655215860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655212260.000000000, search_lt=1655215865.730858000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2237", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9d024a5edacbb44c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:09:29.538, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655215740_68487', total_run_time=20.35, event_count=0, result_count=0, available_count=0, scan_count=4349355, drop_count=0, exec_time=1655215746, api_et=1655211540.000000000, api_lt=1655215140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655211540.000000000, search_lt=1655215140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c1a7bf064cfe2984", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=788, eliminated_buckets=378, considered_events=4349355, total_slices=1268817, decompressed_slices=207169, duration.command.search.index=1885, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33588, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=91, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 14:08:29.987, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655215620_68467', total_run_time=18.37, event_count=2251, result_count=109, available_count=0, scan_count=553028, drop_count=0, exec_time=1655215680, api_et=1655212020.000000000, api_lt=1655215620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655212020.000000000, search_lt=1655215682.074557000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=206, considered_events=560508, total_slices=509461, decompressed_slices=130972, duration.command.search.index=4086, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37311, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=434631, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=48131, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 14:07:59.706, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655215620_68462', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655215646, api_et=1655212020.000000000, api_lt=1655215620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655212020.000000000, search_lt=1655215648.367995000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_806741ec70844d23", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=922, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:44:13.778, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655214180_67995', total_run_time=28.06, event_count=0, result_count=0, available_count=0, scan_count=3387, drop_count=0, exec_time=1655214218, api_et=1655210580.000000000, api_lt=1655214180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655210580.000000000, search_lt=1655214220.350983000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8606b884793d0a61", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=1, considered_events=3387, total_slices=735704, decompressed_slices=910, duration.command.search.index=1189, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4822, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:44:11.516, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655213580_67779', total_run_time=396.82, event_count=0, result_count=0, available_count=0, scan_count=39259507, drop_count=0, exec_time=1655213605, api_et=1655209980.000000000, api_lt=1655213580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655209980.000000000, search_lt=1655213607.724379000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3737", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6896c664758d207c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1802, eliminated_buckets=106, considered_events=39259507, total_slices=14319511, decompressed_slices=4381308, duration.command.search.index=14080, invocations.command.search.index.bucketcache.hit=1807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=233378, invocations.command.search.rawdata.bucketcache.hit=320, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:17:15.908, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655212560_67438', total_run_time=9.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655212571, api_et=1655208360.000000000, api_lt=1655211960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208960.000000000, search_lt=1655212573.198380000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3260", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f2653c2e22f1fc8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=989, eliminated_buckets=290, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=829, invocations.command.search.index.bucketcache.hit=989, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:14:43.480, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655212440_67398', total_run_time=6.51, event_count=0, result_count=0, available_count=0, scan_count=16236, drop_count=0, exec_time=1655212463, api_et=1655208840.000000000, api_lt=1655212440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208840.000000000, search_lt=1655212465.466083000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=286, considered_events=16461, total_slices=703064, decompressed_slices=3360, duration.command.search.index=1266, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6056, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=60, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=204, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=916, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=134, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=214, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 13:11:13.347, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655212260_67333', total_run_time=4.78, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655212264, api_et=1655208660.000000000, api_lt=1655212260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208660.000000000, search_lt=1655212266.172875000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ad5e56c8f723177f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=76, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:09:43.221, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655212140_67301', total_run_time=23.78, event_count=0, result_count=0, available_count=0, scan_count=4619545, drop_count=0, exec_time=1655212145, api_et=1655207940.000000000, api_lt=1655211540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655207940.000000000, search_lt=1655211540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3046", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d14a66cdebe15680", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=370, considered_events=4619545, total_slices=1270887, decompressed_slices=214889, duration.command.search.index=1893, invocations.command.search.index.bucketcache.hit=773, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34044, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=68, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:09:01.413, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655212020_67265', total_run_time=5.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655212046, api_et=1655208420.000000000, api_lt=1655212020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208420.000000000, search_lt=1655212048.226589000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_06241f1c675fe1b5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=694, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 13:09:00.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655212020_67282', total_run_time=20.01, event_count=1873, result_count=108, available_count=0, scan_count=440538, drop_count=0, exec_time=1655212080, api_et=1655208420.000000000, api_lt=1655212020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655208420.000000000, search_lt=1655212082.028322000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=446458, total_slices=476394, decompressed_slices=97727, duration.command.search.index=3520, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30914, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=356063, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41244, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 13:00:34.510, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211540_67078', total_run_time=43.54, event_count=0, result_count=0, available_count=0, scan_count=22587760, drop_count=0, exec_time=1655211590, api_et=1655197140.000000000, api_lt=1655211540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197140.000000000, search_lt=1655211540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3017", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22587760, total_slices=1332828, decompressed_slices=388440, duration.command.search.index=8457, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72011, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11968227, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:59:19.766, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211480_67065', total_run_time=21.23, event_count=0, result_count=0, available_count=0, scan_count=22580763, drop_count=0, exec_time=1655211529, api_et=1655197080.000000000, api_lt=1655211480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197080.000000000, search_lt=1655211480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2973", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22580763, total_slices=1331022, decompressed_slices=388359, duration.command.search.index=8804, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60744, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11963115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:58:50.598, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211360_67031', total_run_time=23.58, event_count=0, result_count=0, available_count=0, scan_count=22570293, drop_count=0, exec_time=1655211409, api_et=1655196960.000000000, api_lt=1655211360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196960.000000000, search_lt=1655211360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2609", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22570293, total_slices=1327323, decompressed_slices=388253, duration.command.search.index=8459, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66391, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11955055, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:58:50.597, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211420_67049', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=22575074, drop_count=0, exec_time=1655211469, api_et=1655197020.000000000, api_lt=1655211420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197020.000000000, search_lt=1655211420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22575074, total_slices=1329161, decompressed_slices=388257, duration.command.search.index=8341, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66215, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11959681, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:56:30.649, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211300_67020', total_run_time=28.21, event_count=0, result_count=0, available_count=0, scan_count=22564791, drop_count=0, exec_time=1655211349, api_et=1655196900.000000000, api_lt=1655211300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196900.000000000, search_lt=1655211300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22564791, total_slices=1325632, decompressed_slices=388151, duration.command.search.index=8667, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71723, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11951182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:55:30.340, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211240_67002', total_run_time=28.57, event_count=0, result_count=0, available_count=0, scan_count=22562382, drop_count=0, exec_time=1655211289, api_et=1655196840.000000000, api_lt=1655211240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196840.000000000, search_lt=1655211240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22562382, total_slices=1323773, decompressed_slices=388125, duration.command.search.index=9952, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70486, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11948962, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:54:30.347, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211180_66986', total_run_time=27.10, event_count=0, result_count=0, available_count=0, scan_count=22558806, drop_count=0, exec_time=1655211229, api_et=1655196780.000000000, api_lt=1655211180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196780.000000000, search_lt=1655211180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3144", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22558806, total_slices=1321760, decompressed_slices=388035, duration.command.search.index=9362, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75230, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11945436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:53:30.551, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211120_66962', total_run_time=31.53, event_count=0, result_count=0, available_count=0, scan_count=22553742, drop_count=0, exec_time=1655211169, api_et=1655196720.000000000, api_lt=1655211120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196720.000000000, search_lt=1655211120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22553742, total_slices=1320173, decompressed_slices=387968, duration.command.search.index=10222, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85269, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11942458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:52:30.640, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211060_66945', total_run_time=29.97, event_count=0, result_count=0, available_count=0, scan_count=22547095, drop_count=0, exec_time=1655211109, api_et=1655196660.000000000, api_lt=1655211060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196660.000000000, search_lt=1655211060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22547095, total_slices=1318428, decompressed_slices=387891, duration.command.search.index=10473, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87837, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11938427, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:52:00.499, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655211000_66921', total_run_time=40.88, event_count=0, result_count=0, available_count=0, scan_count=22538204, drop_count=0, exec_time=1655211050, api_et=1655196600.000000000, api_lt=1655211000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196600.000000000, search_lt=1655211000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22538204, total_slices=1316736, decompressed_slices=387807, duration.command.search.index=12061, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101140, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11934262, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:50:30.555, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210940_66898', total_run_time=39.64, event_count=0, result_count=0, available_count=0, scan_count=22535171, drop_count=0, exec_time=1655210990, api_et=1655196540.000000000, api_lt=1655210940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196540.000000000, search_lt=1655210940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22535171, total_slices=1314892, decompressed_slices=387811, duration.command.search.index=10473, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96079, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11932518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:49:30.362, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210880_66876', total_run_time=32.40, event_count=0, result_count=0, available_count=0, scan_count=22535743, drop_count=0, exec_time=1655210929, api_et=1655196480.000000000, api_lt=1655210880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196480.000000000, search_lt=1655210880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22535743, total_slices=1313084, decompressed_slices=387808, duration.command.search.index=11828, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96012, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11932591, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:48:30.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210820_66859', total_run_time=26.37, event_count=0, result_count=0, available_count=0, scan_count=22532909, drop_count=0, exec_time=1655210870, api_et=1655196420.000000000, api_lt=1655210820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196420.000000000, search_lt=1655210820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22532909, total_slices=1311259, decompressed_slices=387778, duration.command.search.index=9658, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78951, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930620, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:47:30.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210760_66838', total_run_time=28.25, event_count=0, result_count=0, available_count=0, scan_count=22525934, drop_count=0, exec_time=1655210809, api_et=1655196360.000000000, api_lt=1655210760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196360.000000000, search_lt=1655210760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2558", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22525934, total_slices=1309649, decompressed_slices=387635, duration.command.search.index=9224, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78783, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11926795, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:46:30.391, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210700_66820', total_run_time=30.08, event_count=0, result_count=0, available_count=0, scan_count=22522122, drop_count=0, exec_time=1655210749, api_et=1655196300.000000000, api_lt=1655210700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196300.000000000, search_lt=1655210700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22522122, total_slices=1307806, decompressed_slices=387635, duration.command.search.index=10105, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84880, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923588, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:45:54.910, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210640_66797', total_run_time=26.76, event_count=0, result_count=0, available_count=0, scan_count=22523144, drop_count=0, exec_time=1655210690, api_et=1655196240.000000000, api_lt=1655210640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196240.000000000, search_lt=1655210640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=1, considered_events=22523144, total_slices=1306127, decompressed_slices=387633, duration.command.search.index=9724, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82801, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922972, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:44:30.649, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210580_66776', total_run_time=27.44, event_count=0, result_count=0, available_count=0, scan_count=22522330, drop_count=0, exec_time=1655210629, api_et=1655196180.000000000, api_lt=1655210580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196180.000000000, search_lt=1655210580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3283", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22522330, total_slices=1330336, decompressed_slices=387608, duration.command.search.index=9709, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83957, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11919680, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:44:30.643, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655210580_66773', total_run_time=39.38, event_count=0, result_count=0, available_count=0, scan_count=3437, drop_count=0, exec_time=1655210618, api_et=1655206980.000000000, api_lt=1655210580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655206980.000000000, search_lt=1655210620.087542000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2994", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_74cb2d3537eecc6c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=3437, total_slices=702214, decompressed_slices=1006, duration.command.search.index=1666, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5929, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:43:30.388, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210520_66749', total_run_time=34.71, event_count=0, result_count=0, available_count=0, scan_count=22518369, drop_count=0, exec_time=1655210569, api_et=1655196120.000000000, api_lt=1655210520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196120.000000000, search_lt=1655210520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22518369, total_slices=1328434, decompressed_slices=387569, duration.command.search.index=10243, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90505, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11915867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:43:03.826, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210340_66679', total_run_time=32.12, event_count=0, result_count=0, available_count=0, scan_count=22504361, drop_count=0, exec_time=1655210389, api_et=1655195940.000000000, api_lt=1655210340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195940.000000000, search_lt=1655210340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22504361, total_slices=1349144, decompressed_slices=387522, duration.command.search.index=12044, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105254, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905757, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:43:03.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210460_66726', total_run_time=30.79, event_count=0, result_count=0, available_count=0, scan_count=22513133, drop_count=0, exec_time=1655210509, api_et=1655196060.000000000, api_lt=1655210460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196060.000000000, search_lt=1655210460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22513133, total_slices=1352655, decompressed_slices=387514, duration.command.search.index=11005, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100283, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11911743, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:43:02.833, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655209980_66552', total_run_time=539.91, event_count=0, result_count=0, available_count=0, scan_count=39302117, drop_count=0, exec_time=1655210005, api_et=1655206380.000000000, api_lt=1655209980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655206380.000000000, search_lt=1655210007.213140000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3663", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_301c36ac28dfc1e1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1817, eliminated_buckets=106, considered_events=39302117, total_slices=14447286, decompressed_slices=4352448, duration.command.search.index=14134, invocations.command.search.index.bucketcache.hit=1823, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=233136, invocations.command.search.rawdata.bucketcache.hit=327, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:43:02.750, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210400_66700', total_run_time=40.72, event_count=0, result_count=0, available_count=0, scan_count=22503734, drop_count=0, exec_time=1655210449, api_et=1655196000.000000000, api_lt=1655210400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196000.000000000, search_lt=1655210400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22503734, total_slices=1350649, decompressed_slices=387459, duration.command.search.index=13283, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=117677, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11908774, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:39:15.846, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210280_66663', total_run_time=22.94, event_count=0, result_count=0, available_count=0, scan_count=22501313, drop_count=0, exec_time=1655210329, api_et=1655195880.000000000, api_lt=1655210280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195880.000000000, search_lt=1655210280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22501313, total_slices=1373340, decompressed_slices=387481, duration.command.search.index=9065, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72230, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11904154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:31.619, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210220_66647', total_run_time=22.02, event_count=0, result_count=0, available_count=0, scan_count=22497495, drop_count=0, exec_time=1655210270, api_et=1655195820.000000000, api_lt=1655210220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195820.000000000, search_lt=1655210220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22497495, total_slices=1371497, decompressed_slices=387480, duration.command.search.index=9990, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75676, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11900814, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:03.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209980_66566', total_run_time=43.53, event_count=0, result_count=0, available_count=0, scan_count=22496965, drop_count=0, exec_time=1655210029, api_et=1655195580.000000000, api_lt=1655209980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195580.000000000, search_lt=1655209980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22496965, total_slices=1364479, decompressed_slices=387580, duration.command.search.index=12895, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=120423, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11901018, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:03.043, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210100_66622', total_run_time=23.78, event_count=0, result_count=0, available_count=0, scan_count=22494616, drop_count=0, exec_time=1655210149, api_et=1655195700.000000000, api_lt=1655210100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195700.000000000, search_lt=1655210100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22494616, total_slices=1367975, decompressed_slices=387471, duration.command.search.index=9670, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76279, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899530, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:02.870, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209920_66529', total_run_time=34.06, event_count=0, result_count=0, available_count=0, scan_count=22494646, drop_count=0, exec_time=1655209970, api_et=1655195520.000000000, api_lt=1655209920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195520.000000000, search_lt=1655209920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22494646, total_slices=1362670, decompressed_slices=387537, duration.command.search.index=13150, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=120250, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899448, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:02.843, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209860_66499', total_run_time=26.19, event_count=0, result_count=0, available_count=0, scan_count=22489198, drop_count=0, exec_time=1655209909, api_et=1655195460.000000000, api_lt=1655209860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195460.000000000, search_lt=1655209860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22489198, total_slices=1360889, decompressed_slices=387517, duration.command.search.index=10638, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99540, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11896948, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:02.802, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210160_66632', total_run_time=22.50, event_count=0, result_count=0, available_count=0, scan_count=22494736, drop_count=0, exec_time=1655210210, api_et=1655195760.000000000, api_lt=1655210160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195760.000000000, search_lt=1655210160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22494736, total_slices=1369766, decompressed_slices=387501, duration.command.search.index=9436, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72599, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:38:02.140, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655210040_66601', total_run_time=26.97, event_count=0, result_count=0, available_count=0, scan_count=22495772, drop_count=0, exec_time=1655210089, api_et=1655195640.000000000, api_lt=1655210040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195640.000000000, search_lt=1655210040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22495772, total_slices=1366243, decompressed_slices=387517, duration.command.search.index=10368, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97736, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899053, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:31:28.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209800_66470', total_run_time=19.16, event_count=0, result_count=0, available_count=0, scan_count=22486554, drop_count=0, exec_time=1655209849, api_et=1655195400.000000000, api_lt=1655209800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195400.000000000, search_lt=1655209800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3104", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22486554, total_slices=1358900, decompressed_slices=387537, duration.command.search.index=9411, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71490, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11895358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:30:28.666, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209740_66442', total_run_time=13.39, event_count=0, result_count=0, available_count=0, scan_count=22485576, drop_count=0, exec_time=1655209789, api_et=1655195340.000000000, api_lt=1655209740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195340.000000000, search_lt=1655209740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22485576, total_slices=1357390, decompressed_slices=387509, duration.command.search.index=7706, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59525, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11895587, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:29:28.801, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209680_66429', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=22485394, drop_count=0, exec_time=1655209730, api_et=1655195280.000000000, api_lt=1655209680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195280.000000000, search_lt=1655209680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22485394, total_slices=1355570, decompressed_slices=387492, duration.command.search.index=7968, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59522, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11895150, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:28:28.500, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209620_66414', total_run_time=13.73, event_count=0, result_count=0, available_count=0, scan_count=22485379, drop_count=0, exec_time=1655209669, api_et=1655195220.000000000, api_lt=1655209620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195220.000000000, search_lt=1655209620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22485379, total_slices=1353742, decompressed_slices=387409, duration.command.search.index=8068, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60076, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11894808, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:27:28.693, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209560_66395', total_run_time=17.46, event_count=0, result_count=0, available_count=0, scan_count=22477288, drop_count=0, exec_time=1655209609, api_et=1655195160.000000000, api_lt=1655209560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195160.000000000, search_lt=1655209560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2142", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22477288, total_slices=1351913, decompressed_slices=387304, duration.command.search.index=7971, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58982, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11892359, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:26:13.821, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209500_66379', total_run_time=20.41, event_count=0, result_count=0, available_count=0, scan_count=22472057, drop_count=0, exec_time=1655209549, api_et=1655195100.000000000, api_lt=1655209500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195100.000000000, search_lt=1655209500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3127", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22472057, total_slices=1350238, decompressed_slices=387290, duration.command.search.index=8303, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61921, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11890899, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:25:53.404, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209440_66365', total_run_time=25.02, event_count=0, result_count=0, available_count=0, scan_count=22470082, drop_count=0, exec_time=1655209490, api_et=1655195040.000000000, api_lt=1655209440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195040.000000000, search_lt=1655209440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22470082, total_slices=1348464, decompressed_slices=387215, duration.command.search.index=8154, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60047, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11890964, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:24:28.956, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209380_66346', total_run_time=21.65, event_count=0, result_count=0, available_count=0, scan_count=22471851, drop_count=0, exec_time=1655209429, api_et=1655194980.000000000, api_lt=1655209380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194980.000000000, search_lt=1655209380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22471851, total_slices=1346662, decompressed_slices=387216, duration.command.search.index=8665, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60553, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11889998, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:23:28.778, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209320_66314', total_run_time=19.78, event_count=0, result_count=0, available_count=0, scan_count=22470019, drop_count=0, exec_time=1655209369, api_et=1655194920.000000000, api_lt=1655209320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194920.000000000, search_lt=1655209320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22470019, total_slices=1344881, decompressed_slices=387148, duration.command.search.index=8197, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62500, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11887346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:45.370, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209260_66298', total_run_time=32.11, event_count=0, result_count=0, available_count=0, scan_count=22466373, drop_count=0, exec_time=1655209309, api_et=1655194860.000000000, api_lt=1655209260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194860.000000000, search_lt=1655209260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22466373, total_slices=1343144, decompressed_slices=387131, duration.command.search.index=10507, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95626, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11885128, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:19.081, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209080_66222', total_run_time=37.44, event_count=0, result_count=0, available_count=0, scan_count=22464700, drop_count=0, exec_time=1655209130, api_et=1655194680.000000000, api_lt=1655209080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194680.000000000, search_lt=1655209080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2449", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22464700, total_slices=1338060, decompressed_slices=387122, duration.command.search.index=8932, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69455, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11882164, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:18.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209200_66271', total_run_time=37.60, event_count=0, result_count=0, available_count=0, scan_count=22462855, drop_count=0, exec_time=1655209250, api_et=1655194800.000000000, api_lt=1655209200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194800.000000000, search_lt=1655209200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22462855, total_slices=1341344, decompressed_slices=387143, duration.command.search.index=9068, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66296, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11883593, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:18.400, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208960_66177', total_run_time=42.11, event_count=0, result_count=0, available_count=0, scan_count=22458517, drop_count=0, exec_time=1655209009, api_et=1655194560.000000000, api_lt=1655208960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194560.000000000, search_lt=1655208960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458517, total_slices=1360610, decompressed_slices=387020, duration.command.search.index=10055, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71794, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11875053, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:17.320, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209140_66247', total_run_time=26.81, event_count=0, result_count=0, available_count=0, scan_count=22461213, drop_count=0, exec_time=1655209189, api_et=1655194740.000000000, api_lt=1655209140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194740.000000000, search_lt=1655209140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2997", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22461213, total_slices=1339803, decompressed_slices=387163, duration.command.search.index=8261, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63278, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11881742, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:22:16.707, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655209020_66200', total_run_time=30.08, event_count=0, result_count=0, available_count=0, scan_count=22461618, drop_count=0, exec_time=1655209070, api_et=1655194620.000000000, api_lt=1655209020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194620.000000000, search_lt=1655209020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22461618, total_slices=1336314, decompressed_slices=387063, duration.command.search.index=9255, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70206, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11878631, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:16:35.441, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208900_66160', total_run_time=33.80, event_count=0, result_count=0, available_count=0, scan_count=22455335, drop_count=0, exec_time=1655208949, api_et=1655194500.000000000, api_lt=1655208900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194500.000000000, search_lt=1655208900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22455335, total_slices=1358948, decompressed_slices=386999, duration.command.search.index=9597, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73988, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11872959, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:16:35.388, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655208960_66171', total_run_time=11.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655208971, api_et=1655204760.000000000, api_lt=1655208360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655205360.000000000, search_lt=1655208974.140833000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3990", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c0bf01cf37525eed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=992, eliminated_buckets=291, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=823, invocations.command.search.index.bucketcache.hit=992, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:15:35.714, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208840_66141', total_run_time=36.15, event_count=0, result_count=0, available_count=0, scan_count=22454778, drop_count=0, exec_time=1655208890, api_et=1655194440.000000000, api_lt=1655208840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194440.000000000, search_lt=1655208840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3111", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22454778, total_slices=1357255, decompressed_slices=387000, duration.command.search.index=11400, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84036, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11872672, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:14:35.439, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655208840_66128', total_run_time=7.32, event_count=0, result_count=0, available_count=0, scan_count=12249, drop_count=0, exec_time=1655208863, api_et=1655205240.000000000, api_lt=1655208840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655205240.000000000, search_lt=1655208866.006951000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3213", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=284, considered_events=12249, total_slices=606453, decompressed_slices=2967, duration.command.search.index=960, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6574, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=113, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=318, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=75, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=177, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 12:14:35.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208780_66118', total_run_time=21.47, event_count=0, result_count=0, available_count=0, scan_count=22458029, drop_count=0, exec_time=1655208829, api_et=1655194380.000000000, api_lt=1655208780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194380.000000000, search_lt=1655208780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458029, total_slices=1355473, decompressed_slices=387031, duration.command.search.index=10926, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73423, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11873223, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:13:35.348, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208720_66091', total_run_time=31.92, event_count=0, result_count=0, available_count=0, scan_count=22457409, drop_count=0, exec_time=1655208769, api_et=1655194320.000000000, api_lt=1655208720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194320.000000000, search_lt=1655208720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3156", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22457409, total_slices=1353722, decompressed_slices=387067, duration.command.search.index=8531, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67842, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11871675, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:12:35.310, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208660_66073', total_run_time=27.27, event_count=0, result_count=0, available_count=0, scan_count=22457376, drop_count=0, exec_time=1655208710, api_et=1655194260.000000000, api_lt=1655208660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194260.000000000, search_lt=1655208660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22457376, total_slices=1352002, decompressed_slices=387125, duration.command.search.index=8905, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70746, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11869913, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:11:36.312, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208600_66048', total_run_time=24.46, event_count=0, result_count=0, available_count=0, scan_count=22451100, drop_count=0, exec_time=1655208649, api_et=1655194200.000000000, api_lt=1655208600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194200.000000000, search_lt=1655208600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22451100, total_slices=1350531, decompressed_slices=387181, duration.command.search.index=8468, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63406, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11865974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:11:35.324, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655208660_66055', total_run_time=4.76, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1655208664, api_et=1655205060.000000000, api_lt=1655208660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655205060.000000000, search_lt=1655208666.386426000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2321", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_180705fa775a16cf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=2, total_slices=22500, decompressed_slices=2, duration.command.search.index=69, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:10:35.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208540_66027', total_run_time=25.14, event_count=0, result_count=0, available_count=0, scan_count=22452200, drop_count=0, exec_time=1655208589, api_et=1655194140.000000000, api_lt=1655208540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194140.000000000, search_lt=1655208540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22452200, total_slices=1348597, decompressed_slices=387294, duration.command.search.index=9097, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60296, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11866795, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:09:35.510, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208480_66011', total_run_time=15.21, event_count=0, result_count=0, available_count=0, scan_count=22458031, drop_count=0, exec_time=1655208529, api_et=1655194080.000000000, api_lt=1655208480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194080.000000000, search_lt=1655208480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458031, total_slices=1346928, decompressed_slices=387315, duration.command.search.index=8555, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60929, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11868523, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:09:35.433, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655208420_65988', total_run_time=7.43, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655208446, api_et=1655204820.000000000, api_lt=1655208420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655204820.000000000, search_lt=1655208448.819710000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2983", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1e8095f14b896305", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=1, total_slices=1427, decompressed_slices=1, duration.command.search.index=768, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=128, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:09:35.358, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655208420_65996', total_run_time=15.19, event_count=992, result_count=56, available_count=0, scan_count=324043, drop_count=0, exec_time=1655208480, api_et=1655204820.000000000, api_lt=1655208420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655204820.000000000, search_lt=1655208482.052225000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=334350, total_slices=562691, decompressed_slices=87964, duration.command.search.index=3147, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25239, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=266656, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30805, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 12:09:35.242, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1655208000_65942', total_run_time=165.24, event_count=2696, result_count=2695, available_count=0, scan_count=1757831, drop_count=0, exec_time=1655208290, api_et=1655121600.000000000, api_lt=1655208000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1655208000.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_d78b9369e0c6f8e8", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30406, eliminated_buckets=4811, considered_events=1757831, total_slices=14058063, decompressed_slices=1089872, duration.command.search.index=1232285, invocations.command.search.index.bucketcache.hit=25523, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=4932, duration.command.search.index.bucketcache.miss=670603, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215531, invocations.command.search.rawdata.bucketcache.hit=18174, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=2529, duration.command.search.rawdata.bucketcache.miss=465318, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-14-2022 12:09:35.096, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655208540_66019', total_run_time=20.90, event_count=0, result_count=0, available_count=0, scan_count=4763265, drop_count=0, exec_time=1655208546, api_et=1655204340.000000000, api_lt=1655207940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655204340.000000000, search_lt=1655207940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d73aff2f2f049e1f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=782, eliminated_buckets=377, considered_events=4763265, total_slices=1201961, decompressed_slices=219320, duration.command.search.index=1980, invocations.command.search.index.bucketcache.hit=780, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34046, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=108, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 12:09:34.617, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208420_65993', total_run_time=14.31, event_count=0, result_count=0, available_count=0, scan_count=22461100, drop_count=0, exec_time=1655208469, api_et=1655194020.000000000, api_lt=1655208420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194020.000000000, search_lt=1655208420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2574", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22461100, total_slices=1345156, decompressed_slices=387328, duration.command.search.index=8349, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60207, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11868761, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:09:34.365, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208360_65973', total_run_time=20.62, event_count=0, result_count=0, available_count=0, scan_count=22461100, drop_count=0, exec_time=1655208410, api_et=1655193960.000000000, api_lt=1655208360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193960.000000000, search_lt=1655208360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22461100, total_slices=1343550, decompressed_slices=387303, duration.command.search.index=8360, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64313, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11866089, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:06:35.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208300_65959', total_run_time=20.30, event_count=0, result_count=0, available_count=0, scan_count=22460319, drop_count=0, exec_time=1655208349, api_et=1655193900.000000000, api_lt=1655208300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193900.000000000, search_lt=1655208300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3195", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22460319, total_slices=1341857, decompressed_slices=387336, duration.command.search.index=9055, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65208, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11864605, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:05:35.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208240_65941', total_run_time=37.77, event_count=0, result_count=0, available_count=0, scan_count=22458103, drop_count=0, exec_time=1655208290, api_et=1655193840.000000000, api_lt=1655208240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193840.000000000, search_lt=1655208240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3112", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458103, total_slices=1340174, decompressed_slices=387405, duration.command.search.index=9655, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72448, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11863447, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:04:52.541, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208180_65899', total_run_time=55.76, event_count=0, result_count=0, available_count=0, scan_count=22459099, drop_count=0, exec_time=1655208229, api_et=1655193780.000000000, api_lt=1655208180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193780.000000000, search_lt=1655208180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2536", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22459099, total_slices=1338309, decompressed_slices=387446, duration.command.search.index=11141, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84469, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11862394, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:04:26.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208060_65822', total_run_time=55.97, event_count=0, result_count=0, available_count=0, scan_count=22458702, drop_count=0, exec_time=1655208109, api_et=1655193660.000000000, api_lt=1655208060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193660.000000000, search_lt=1655208060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458702, total_slices=1334863, decompressed_slices=387536, duration.command.search.index=13389, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98942, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11856299, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:04:25.970, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208120_65853', total_run_time=47.91, event_count=0, result_count=0, available_count=0, scan_count=22458186, drop_count=0, exec_time=1655208169, api_et=1655193720.000000000, api_lt=1655208120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193720.000000000, search_lt=1655208120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22458186, total_slices=1336648, decompressed_slices=387443, duration.command.search.index=12011, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101952, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11860667, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 12:04:25.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1655208000_65786', total_run_time=63.23, event_count=0, result_count=102, available_count=0, scan_count=0, drop_count=0, exec_time=1655208032, api_et=1655206200.000000000, api_lt=1655208000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655206200.000000000, search_lt=1655208000.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="64016", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-14-2022 12:04:25.457, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655208000_65789', total_run_time=57.80, event_count=0, result_count=0, available_count=0, scan_count=22459060, drop_count=0, exec_time=1655208049, api_et=1655193600.000000000, api_lt=1655208000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193600.000000000, search_lt=1655208000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22459060, total_slices=1333125, decompressed_slices=387633, duration.command.search.index=13147, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100000, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11853861, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 11:44:26.510, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655206980_65501', total_run_time=28.14, event_count=0, result_count=0, available_count=0, scan_count=3581, drop_count=0, exec_time=1655207018, api_et=1655203380.000000000, api_lt=1655206980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655203380.000000000, search_lt=1655207020.211620000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b772f427ce2c9ca7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3581, total_slices=704530, decompressed_slices=1037, duration.command.search.index=3925, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5601, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 11:42:26.444, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655206380_65297', total_run_time=536.41, event_count=0, result_count=0, available_count=0, scan_count=39236627, drop_count=0, exec_time=1655206405, api_et=1655202780.000000000, api_lt=1655206380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655202780.000000000, search_lt=1655206407.210119000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3393", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a420f4cf930b50ea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1790, eliminated_buckets=106, considered_events=39236627, total_slices=14351082, decompressed_slices=4374909, duration.command.search.index=14335, invocations.command.search.index.bucketcache.hit=1795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=233605, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 11:16:24.548, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655205360_64960', total_run_time=9.67, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655205371, api_et=1655201160.000000000, api_lt=1655204760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655201760.000000000, search_lt=1655205372.752661000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3165", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4044071155079976", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=992, eliminated_buckets=291, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=832, invocations.command.search.index.bucketcache.hit=992, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 11:14:54.305, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655205240_64919', total_run_time=6.78, event_count=0, result_count=0, available_count=0, scan_count=11913, drop_count=0, exec_time=1655205263, api_et=1655201640.000000000, api_lt=1655205240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655201640.000000000, search_lt=1655205265.233400000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=283, considered_events=11913, total_slices=537271, decompressed_slices=2460, duration.command.search.index=937, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5833, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=88, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=269, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=59, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=141, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 11:11:24.546, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655205060_64855', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655205065, api_et=1655201460.000000000, api_lt=1655205060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655201460.000000000, search_lt=1655205067.122213000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7b0752d98f24dee8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=74, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 11:09:40.281, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655204940_64822', total_run_time=23.69, event_count=0, result_count=0, available_count=0, scan_count=4644519, drop_count=0, exec_time=1655204945, api_et=1655200740.000000000, api_lt=1655204340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655200740.000000000, search_lt=1655204340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3033", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b8c5fae1d790bc1e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=756, eliminated_buckets=370, considered_events=4644519, total_slices=1101951, decompressed_slices=220545, duration.command.search.index=1902, invocations.command.search.index.bucketcache.hit=755, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35811, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=97, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 11:09:11.804, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655204820_64804', total_run_time=17.51, event_count=1148, result_count=55, available_count=0, scan_count=330603, drop_count=0, exec_time=1655204880, api_et=1655201220.000000000, api_lt=1655204820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655201220.000000000, search_lt=1655204882.595840000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=201, considered_events=337029, total_slices=652854, decompressed_slices=92646, duration.command.search.index=3282, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27640, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=271006, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32560, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 11:09:11.041, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655204820_64799', total_run_time=8.53, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655204846, api_et=1655201220.000000000, api_lt=1655204820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655201220.000000000, search_lt=1655204848.772479000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d3b0ba5108fcedb5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=878, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:44:28.559, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655203380_64335', total_run_time=33.46, event_count=0, result_count=0, available_count=0, scan_count=3005, drop_count=0, exec_time=1655203418, api_et=1655199780.000000000, api_lt=1655203380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655199780.000000000, search_lt=1655203420.462141000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2ec19ad98e071388", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=3005, total_slices=721085, decompressed_slices=1006, duration.command.search.index=1151, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5057, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:40:22.183, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655202780_64126', total_run_time=372.38, event_count=0, result_count=0, available_count=0, scan_count=40935214, drop_count=0, exec_time=1655202805, api_et=1655199180.000000000, api_lt=1655202780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655199180.000000000, search_lt=1655202807.514323000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3937", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a3f24273e5fddec8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1812, eliminated_buckets=106, considered_events=40935214, total_slices=14388487, decompressed_slices=4469085, duration.command.search.index=14551, invocations.command.search.index.bucketcache.hit=1812, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238031, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:20:58.866, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655201760_63778', total_run_time=15.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655201770, api_et=1655197560.000000000, api_lt=1655201160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655198160.000000000, search_lt=1655201772.355282000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3305", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fbfae380dfd24f8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=991, eliminated_buckets=291, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=971, invocations.command.search.index.bucketcache.hit=991, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:14:55.463, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655201640_63738', total_run_time=6.61, event_count=0, result_count=0, available_count=0, scan_count=13250, drop_count=0, exec_time=1655201663, api_et=1655198040.000000000, api_lt=1655201640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655198040.000000000, search_lt=1655201664.858512000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=281, considered_events=13602, total_slices=497756, decompressed_slices=2934, duration.command.search.index=1515, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6189, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=108, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=317, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=68, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=149, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 10:11:25.851, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655201460_63673', total_run_time=4.79, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655201465, api_et=1655197860.000000000, api_lt=1655201460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197860.000000000, search_lt=1655201467.004674000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7d94d2fc0f7cd486", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=68, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:09:55.490, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655201340_63640', total_run_time=21.45, event_count=0, result_count=0, available_count=0, scan_count=4648775, drop_count=0, exec_time=1655201345, api_et=1655197140.000000000, api_lt=1655200740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197140.000000000, search_lt=1655200740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3077", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_825105aac2e5c15b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=752, eliminated_buckets=371, considered_events=4648775, total_slices=1132725, decompressed_slices=221193, duration.command.search.index=2544, invocations.command.search.index.bucketcache.hit=752, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37278, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=197, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 10:08:25.683, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655201220_63620', total_run_time=17.45, event_count=1161, result_count=57, available_count=0, scan_count=341723, drop_count=0, exec_time=1655201280, api_et=1655197620.000000000, api_lt=1655201220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197620.000000000, search_lt=1655201281.931122000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=201, considered_events=348509, total_slices=712492, decompressed_slices=109124, duration.command.search.index=5484, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36158, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=279917, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32907, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 10:07:35.770, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655201220_63615', total_run_time=6.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655201246, api_et=1655197620.000000000, api_lt=1655201220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655197620.000000000, search_lt=1655201248.369279000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d19dbfbd7980b9a6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=932, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:44:17.548, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655199780_63149', total_run_time=30.39, event_count=0, result_count=0, available_count=0, scan_count=3941, drop_count=0, exec_time=1655199818, api_et=1655196180.000000000, api_lt=1655199780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655196180.000000000, search_lt=1655199820.371379000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2d3ab2f2b1e6af04", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=3941, total_slices=880829, decompressed_slices=1313, duration.command.search.index=1101, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5108, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:41:46.821, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655199180_62944', total_run_time=51.25, event_count=0, result_count=0, available_count=0, scan_count=41905934, drop_count=0, exec_time=1655199205, api_et=1655195580.000000000, api_lt=1655199180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655195580.000000000, search_lt=1655199207.377475000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3835", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9822891e5375278d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1814, eliminated_buckets=106, considered_events=41905934, total_slices=14584911, decompressed_slices=4529520, duration.command.search.index=15328, invocations.command.search.index.bucketcache.hit=1814, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=254122, invocations.command.search.rawdata.bucketcache.hit=317, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:17:46.572, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655198160_62602', total_run_time=10.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655198170, api_et=1655193960.000000000, api_lt=1655197560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194560.000000000, search_lt=1655198172.557113000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3469", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c7ed5f5b25c4fbb0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=990, eliminated_buckets=293, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=794, invocations.command.search.index.bucketcache.hit=990, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:14:58.414, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655198040_62562', total_run_time=6.77, event_count=0, result_count=0, available_count=0, scan_count=12399, drop_count=0, exec_time=1655198063, api_et=1655194440.000000000, api_lt=1655198040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194440.000000000, search_lt=1655198064.806163000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=290, considered_events=12399, total_slices=431805, decompressed_slices=3056, duration.command.search.index=1142, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5868, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=124, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=316, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=102, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 09:11:14.779, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655197860_62494', total_run_time=4.72, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655197864, api_et=1655194260.000000000, api_lt=1655197860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194260.000000000, search_lt=1655197866.145481000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6b8d0eed12fc7cd5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=68, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:10:47.264, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655197620_62436', total_run_time=5.36, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655197646, api_et=1655194020.000000000, api_lt=1655197620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194020.000000000, search_lt=1655197648.521539000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ace85bcd4f5e9e92", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1362, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:10:46.188, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655197620_62441', total_run_time=20.10, event_count=1556, result_count=55, available_count=0, scan_count=350076, drop_count=0, exec_time=1655197680, api_et=1655194020.000000000, api_lt=1655197620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655194020.000000000, search_lt=1655197681.993397000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2473", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=202, considered_events=354450, total_slices=782139, decompressed_slices=218865, duration.command.search.index=4539, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40351, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=293929, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29435, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 09:10:46.049, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655197740_62459', total_run_time=23.60, event_count=0, result_count=0, available_count=0, scan_count=4843688, drop_count=0, exec_time=1655197745, api_et=1655193540.000000000, api_lt=1655197140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655193540.000000000, search_lt=1655197140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3152", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9a358d1e078752cb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=739, eliminated_buckets=374, considered_events=4843688, total_slices=1173055, decompressed_slices=222868, duration.command.search.index=1856, invocations.command.search.index.bucketcache.hit=739, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34641, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 09:00:42.029, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655197140_62244', total_run_time=28.65, event_count=0, result_count=0, available_count=0, scan_count=22526164, drop_count=0, exec_time=1655197190, api_et=1655182740.000000000, api_lt=1655197140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182740.000000000, search_lt=1655197140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2545", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22526164, total_slices=1462453, decompressed_slices=398270, duration.command.search.index=7768, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62038, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11920700, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:59:11.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655197080_62231', total_run_time=19.53, event_count=0, result_count=0, available_count=0, scan_count=22522261, drop_count=0, exec_time=1655197129, api_et=1655182680.000000000, api_lt=1655197080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182680.000000000, search_lt=1655197080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2571", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22522261, total_slices=1460656, decompressed_slices=398226, duration.command.search.index=8053, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62431, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11918761, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:58:31.769, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655197020_62215', total_run_time=24.09, event_count=0, result_count=0, available_count=0, scan_count=22520465, drop_count=0, exec_time=1655197069, api_et=1655182620.000000000, api_lt=1655197020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182620.000000000, search_lt=1655197020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22520465, total_slices=1458870, decompressed_slices=398253, duration.command.search.index=8209, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65214, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11918694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:58:12.660, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196900_62186', total_run_time=24.65, event_count=0, result_count=0, available_count=0, scan_count=22521886, drop_count=0, exec_time=1655196949, api_et=1655182500.000000000, api_lt=1655196900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182500.000000000, search_lt=1655196900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=22521886, total_slices=1455503, decompressed_slices=398220, duration.command.search.index=8372, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64709, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922104, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:58:11.322, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196960_62197', total_run_time=27.44, event_count=0, result_count=0, available_count=0, scan_count=22522506, drop_count=0, exec_time=1655197009, api_et=1655182560.000000000, api_lt=1655196960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182560.000000000, search_lt=1655196960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=22522506, total_slices=1457174, decompressed_slices=398251, duration.command.search.index=7995, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63321, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11920961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:55:29.399, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196840_62170', total_run_time=38.84, event_count=0, result_count=0, available_count=0, scan_count=22517899, drop_count=0, exec_time=1655196890, api_et=1655182440.000000000, api_lt=1655196840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182440.000000000, search_lt=1655196840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3055", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=22517899, total_slices=1453800, decompressed_slices=398199, duration.command.search.index=8558, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61565, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922763, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:54:18.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196780_62153', total_run_time=22.99, event_count=0, result_count=0, available_count=0, scan_count=22513594, drop_count=0, exec_time=1655196829, api_et=1655182380.000000000, api_lt=1655196780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182380.000000000, search_lt=1655196780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3023", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=22513594, total_slices=1451931, decompressed_slices=398179, duration.command.search.index=8070, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60398, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922026, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:53:56.045, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196540_62065', total_run_time=15.88, event_count=0, result_count=0, available_count=0, scan_count=22507319, drop_count=0, exec_time=1655196590, api_et=1655182140.000000000, api_lt=1655196540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182140.000000000, search_lt=1655196540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=22507319, total_slices=1445246, decompressed_slices=398182, duration.command.search.index=8177, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60904, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922057, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:53:55.374, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196660_62112', total_run_time=26.32, event_count=0, result_count=0, available_count=0, scan_count=22512891, drop_count=0, exec_time=1655196709, api_et=1655182260.000000000, api_lt=1655196660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182260.000000000, search_lt=1655196660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=22512891, total_slices=1448608, decompressed_slices=398250, duration.command.search.index=8470, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61711, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922993, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:53:55.127, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196600_62087', total_run_time=16.10, event_count=0, result_count=0, available_count=0, scan_count=22512337, drop_count=0, exec_time=1655196649, api_et=1655182200.000000000, api_lt=1655196600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182200.000000000, search_lt=1655196600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=22512337, total_slices=1446921, decompressed_slices=398222, duration.command.search.index=9345, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63654, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:53:53.996, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196720_62129', total_run_time=32.50, event_count=0, result_count=0, available_count=0, scan_count=22511046, drop_count=0, exec_time=1655196769, api_et=1655182320.000000000, api_lt=1655196720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182320.000000000, search_lt=1655196720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=22511046, total_slices=1450270, decompressed_slices=398213, duration.command.search.index=8943, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68092, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11921468, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:49:18.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196480_62042', total_run_time=15.03, event_count=0, result_count=0, available_count=0, scan_count=22503052, drop_count=0, exec_time=1655196530, api_et=1655182080.000000000, api_lt=1655196480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182080.000000000, search_lt=1655196480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=22503052, total_slices=1443504, decompressed_slices=398188, duration.command.search.index=8450, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58407, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11921167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:48:18.671, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196420_62026', total_run_time=14.55, event_count=0, result_count=0, available_count=0, scan_count=22501615, drop_count=0, exec_time=1655196469, api_et=1655182020.000000000, api_lt=1655196420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182020.000000000, search_lt=1655196420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=22501615, total_slices=1441764, decompressed_slices=398158, duration.command.search.index=8146, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62096, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11921762, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:47:17.679, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196360_62004', total_run_time=14.87, event_count=0, result_count=0, available_count=0, scan_count=22503286, drop_count=0, exec_time=1655196410, api_et=1655181960.000000000, api_lt=1655196360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181960.000000000, search_lt=1655196360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22503286, total_slices=1440160, decompressed_slices=398123, duration.command.search.index=8210, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58203, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923443, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:20.768, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196300_61986', total_run_time=13.91, event_count=0, result_count=0, available_count=0, scan_count=22505080, drop_count=0, exec_time=1655196349, api_et=1655181900.000000000, api_lt=1655196300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181900.000000000, search_lt=1655196300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2287", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22505080, total_slices=1438490, decompressed_slices=398152, duration.command.search.index=8166, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58016, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11925697, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:20.358, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196060_61890', total_run_time=21.22, event_count=0, result_count=0, available_count=0, scan_count=22487692, drop_count=0, exec_time=1655196109, api_et=1655181660.000000000, api_lt=1655196060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181660.000000000, search_lt=1655196060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22487692, total_slices=1431683, decompressed_slices=398050, duration.command.search.index=8725, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62598, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923528, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:19.039, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196120_61914', total_run_time=14.83, event_count=0, result_count=0, available_count=0, scan_count=22488178, drop_count=0, exec_time=1655196169, api_et=1655181720.000000000, api_lt=1655196120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181720.000000000, search_lt=1655196120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3323", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22488178, total_slices=1433357, decompressed_slices=398050, duration.command.search.index=8088, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61981, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922807, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:18.975, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196180_61943', total_run_time=12.92, event_count=0, result_count=0, available_count=0, scan_count=22492986, drop_count=0, exec_time=1655196229, api_et=1655181780.000000000, api_lt=1655196180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181780.000000000, search_lt=1655196180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22492986, total_slices=1435060, decompressed_slices=398070, duration.command.search.index=7772, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60763, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922956, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:18.698, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195940_61844', total_run_time=16.09, event_count=0, result_count=0, available_count=0, scan_count=22488348, drop_count=0, exec_time=1655195989, api_et=1655181540.000000000, api_lt=1655195940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181540.000000000, search_lt=1655195940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22488348, total_slices=1428167, decompressed_slices=397993, duration.command.search.index=8124, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63945, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11926432, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:18.198, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655196180_61940', total_run_time=21.38, event_count=0, result_count=0, available_count=0, scan_count=3117, drop_count=0, exec_time=1655196218, api_et=1655192580.000000000, api_lt=1655196180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655192580.000000000, search_lt=1655196220.601568000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2846", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_289c844aa7d5428c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3117, total_slices=847694, decompressed_slices=949, duration.command.search.index=1084, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4881, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:46:18.128, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196240_61964', total_run_time=13.42, event_count=0, result_count=0, available_count=0, scan_count=22499766, drop_count=0, exec_time=1655196289, api_et=1655181840.000000000, api_lt=1655196240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181840.000000000, search_lt=1655196240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22499766, total_slices=1436849, decompressed_slices=398057, duration.command.search.index=7844, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61363, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11924278, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:46:17.958, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655196000_61866', total_run_time=17.56, event_count=0, result_count=0, available_count=0, scan_count=22489530, drop_count=0, exec_time=1655196049, api_et=1655181600.000000000, api_lt=1655196000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181600.000000000, search_lt=1655196000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22489530, total_slices=1429608, decompressed_slices=398022, duration.command.search.index=9184, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66877, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11925218, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:39:29.647, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195880_61828', total_run_time=15.47, event_count=0, result_count=0, available_count=0, scan_count=22485262, drop_count=0, exec_time=1655195929, api_et=1655181480.000000000, api_lt=1655195880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181480.000000000, search_lt=1655195880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22485262, total_slices=1426459, decompressed_slices=398038, duration.command.search.index=8253, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60573, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11924426, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:38:30.557, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195820_61813', total_run_time=14.48, event_count=0, result_count=0, available_count=0, scan_count=22481758, drop_count=0, exec_time=1655195869, api_et=1655181420.000000000, api_lt=1655195820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181420.000000000, search_lt=1655195820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22481758, total_slices=1424637, decompressed_slices=398030, duration.command.search.index=7958, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56679, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11924850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:33.936, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195640_61766', total_run_time=14.96, event_count=0, result_count=0, available_count=0, scan_count=22476389, drop_count=0, exec_time=1655195689, api_et=1655181240.000000000, api_lt=1655195640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181240.000000000, search_lt=1655195640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3018", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22476389, total_slices=1419461, decompressed_slices=397916, duration.command.search.index=8322, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59193, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922587, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:33.830, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655195580_61718', total_run_time=45.07, event_count=0, result_count=0, available_count=0, scan_count=41765425, drop_count=0, exec_time=1655195605, api_et=1655191980.000000000, api_lt=1655195580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655191980.000000000, search_lt=1655195607.049612000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3897", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ca894096e30160cb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1814, eliminated_buckets=106, considered_events=41765425, total_slices=14495625, decompressed_slices=4457068, duration.command.search.index=16876, invocations.command.search.index.bucketcache.hit=1813, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=241861, invocations.command.search.rawdata.bucketcache.hit=312, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:37:33.686, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195700_61788', total_run_time=13.38, event_count=0, result_count=0, available_count=0, scan_count=22476927, drop_count=0, exec_time=1655195750, api_et=1655181300.000000000, api_lt=1655195700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181300.000000000, search_lt=1655195700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22476927, total_slices=1421185, decompressed_slices=397948, duration.command.search.index=7802, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58151, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922848, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:33.268, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195280_61595', total_run_time=14.12, event_count=0, result_count=0, available_count=0, scan_count=22467007, drop_count=0, exec_time=1655195329, api_et=1655180880.000000000, api_lt=1655195280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180880.000000000, search_lt=1655195280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2604", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22467007, total_slices=1408956, decompressed_slices=397732, duration.command.search.index=8004, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60785, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923200, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:32.164, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195340_61609', total_run_time=14.48, event_count=0, result_count=0, available_count=0, scan_count=22470881, drop_count=0, exec_time=1655195389, api_et=1655180940.000000000, api_lt=1655195340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180940.000000000, search_lt=1655195340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22470881, total_slices=1410766, decompressed_slices=397810, duration.command.search.index=7866, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60661, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923733, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:30.836, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195400_61638', total_run_time=22.68, event_count=0, result_count=0, available_count=0, scan_count=22470747, drop_count=0, exec_time=1655195449, api_et=1655181000.000000000, api_lt=1655195400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181000.000000000, search_lt=1655195400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22470747, total_slices=1412635, decompressed_slices=397932, duration.command.search.index=10586, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80940, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:30.003, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195760_61798', total_run_time=14.61, event_count=0, result_count=0, available_count=0, scan_count=22482211, drop_count=0, exec_time=1655195810, api_et=1655181360.000000000, api_lt=1655195760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181360.000000000, search_lt=1655195760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2874", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22482211, total_slices=1422876, decompressed_slices=398055, duration.command.search.index=8398, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60882, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11925746, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:29.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195520_61695', total_run_time=20.37, event_count=0, result_count=0, available_count=0, scan_count=22470991, drop_count=0, exec_time=1655195569, api_et=1655181120.000000000, api_lt=1655195520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181120.000000000, search_lt=1655195520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22470991, total_slices=1415934, decompressed_slices=397959, duration.command.search.index=9739, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70136, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11919557, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:29.537, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195580_61732', total_run_time=19.07, event_count=0, result_count=0, available_count=0, scan_count=22475265, drop_count=0, exec_time=1655195630, api_et=1655181180.000000000, api_lt=1655195580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181180.000000000, search_lt=1655195580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22475265, total_slices=1417659, decompressed_slices=397946, duration.command.search.index=9426, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64574, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11921188, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:37:29.439, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195460_61666', total_run_time=17.38, event_count=0, result_count=0, available_count=0, scan_count=22472364, drop_count=0, exec_time=1655195510, api_et=1655181060.000000000, api_lt=1655195460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181060.000000000, search_lt=1655195460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3074", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=22472364, total_slices=1414254, decompressed_slices=398004, duration.command.search.index=9043, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71726, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11922283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:28:05.560, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195220_61581', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=22464708, drop_count=0, exec_time=1655195269, api_et=1655180820.000000000, api_lt=1655195220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180820.000000000, search_lt=1655195220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=22464708, total_slices=1433032, decompressed_slices=397769, duration.command.search.index=8158, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62511, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11925628, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:27:05.318, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195160_61563', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=22468462, drop_count=0, exec_time=1655195209, api_et=1655180760.000000000, api_lt=1655195160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180760.000000000, search_lt=1655195160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=22468462, total_slices=1431390, decompressed_slices=397778, duration.command.search.index=8278, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59555, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11929801, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:26:43.145, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194980_61515', total_run_time=14.62, event_count=0, result_count=0, available_count=0, scan_count=22465979, drop_count=0, exec_time=1655195029, api_et=1655180580.000000000, api_lt=1655194980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180580.000000000, search_lt=1655194980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22465979, total_slices=1426402, decompressed_slices=397701, duration.command.search.index=8172, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58869, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11929907, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:26:42.944, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195040_61533', total_run_time=15.45, event_count=0, result_count=0, available_count=0, scan_count=22468627, drop_count=0, exec_time=1655195089, api_et=1655180640.000000000, api_lt=1655195040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180640.000000000, search_lt=1655195040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=22468627, total_slices=1428115, decompressed_slices=397759, duration.command.search.index=9215, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63206, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:26:42.894, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655195100_61547', total_run_time=14.78, event_count=0, result_count=0, available_count=0, scan_count=22470357, drop_count=0, exec_time=1655195150, api_et=1655180700.000000000, api_lt=1655195100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180700.000000000, search_lt=1655195100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3216", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=22470357, total_slices=1429767, decompressed_slices=397733, duration.command.search.index=7849, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61219, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11931571, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:23:08.825, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194920_61482', total_run_time=16.62, event_count=0, result_count=0, available_count=0, scan_count=22465106, drop_count=0, exec_time=1655194970, api_et=1655180520.000000000, api_lt=1655194920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180520.000000000, search_lt=1655194920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=22465106, total_slices=1424674, decompressed_slices=397721, duration.command.search.index=8945, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63739, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930340, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:22:46.041, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655194800_61439', total_run_time=16.84, event_count=11931256, result_count=15, available_count=0, scan_count=22463532, drop_count=0, exec_time=1655194857, api_et=1655180400.000000000, api_lt=1655194800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180400.000000000, search_lt=1655194800.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2455", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22463532, total_slices=1473195, decompressed_slices=397560, duration.command.search.index=9172, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64548, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11931256, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:22:45.812, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194860_61466', total_run_time=15.62, event_count=0, result_count=0, available_count=0, scan_count=22465196, drop_count=0, exec_time=1655194910, api_et=1655180460.000000000, api_lt=1655194860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180460.000000000, search_lt=1655194860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=22465196, total_slices=1422988, decompressed_slices=397619, duration.command.search.index=9412, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65420, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11931937, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:22:45.429, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194680_61386', total_run_time=17.96, event_count=0, result_count=0, available_count=0, scan_count=22458661, drop_count=0, exec_time=1655194729, api_et=1655180280.000000000, api_lt=1655194680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180280.000000000, search_lt=1655194680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2934", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22458661, total_slices=1495095, decompressed_slices=397555, duration.command.search.index=9540, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68260, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930215, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:22:44.955, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194800_61436', total_run_time=15.33, event_count=0, result_count=0, available_count=0, scan_count=22463548, drop_count=0, exec_time=1655194850, api_et=1655180400.000000000, api_lt=1655194800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180400.000000000, search_lt=1655194800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22463548, total_slices=1472993, decompressed_slices=397561, duration.command.search.index=8871, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64872, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11931256, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:22:44.017, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194740_61411', total_run_time=16.14, event_count=0, result_count=0, available_count=0, scan_count=22460840, drop_count=0, exec_time=1655194789, api_et=1655180340.000000000, api_lt=1655194740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180340.000000000, search_lt=1655194740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22460840, total_slices=1496805, decompressed_slices=397580, duration.command.search.index=8597, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61590, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930579, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:18:28.000, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194620_61366', total_run_time=16.42, event_count=0, result_count=0, available_count=0, scan_count=22457234, drop_count=0, exec_time=1655194669, api_et=1655180220.000000000, api_lt=1655194620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180220.000000000, search_lt=1655194620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2564", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22457234, total_slices=1493412, decompressed_slices=397509, duration.command.search.index=9184, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67498, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11931009, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:17:27.885, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194560_61341', total_run_time=15.34, event_count=0, result_count=0, available_count=0, scan_count=22458184, drop_count=0, exec_time=1655194610, api_et=1655180160.000000000, api_lt=1655194560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180160.000000000, search_lt=1655194560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2572", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22458184, total_slices=1491300, decompressed_slices=397534, duration.command.search.index=8159, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64126, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11934677, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:16:27.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194500_61324', total_run_time=14.99, event_count=0, result_count=0, available_count=0, scan_count=22461508, drop_count=0, exec_time=1655194549, api_et=1655180100.000000000, api_lt=1655194500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180100.000000000, search_lt=1655194500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2869", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22461508, total_slices=1490084, decompressed_slices=397523, duration.command.search.index=8675, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68320, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11935984, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:16:27.388, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655194560_61335', total_run_time=13.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655194570, api_et=1655190360.000000000, api_lt=1655193960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655190960.000000000, search_lt=1655194573.186727000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_388efb893a1a5ada", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=992, eliminated_buckets=294, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=976, invocations.command.search.index.bucketcache.hit=992, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:15:57.285, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655194440_61292', total_run_time=4.22, event_count=0, result_count=0, available_count=0, scan_count=12814, drop_count=0, exec_time=1655194463, api_et=1655190840.000000000, api_lt=1655194440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655190840.000000000, search_lt=1655194465.443657000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3005", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=279, considered_events=12814, total_slices=475116, decompressed_slices=2905, duration.command.search.index=925, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5612, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=51, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=96, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=277, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=64, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=74, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 08:15:57.092, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194440_61305', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=22458667, drop_count=0, exec_time=1655194489, api_et=1655180040.000000000, api_lt=1655194440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180040.000000000, search_lt=1655194440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22458667, total_slices=1488383, decompressed_slices=397426, duration.command.search.index=8124, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58730, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11934109, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:15:56.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194380_61282', total_run_time=15.25, event_count=0, result_count=0, available_count=0, scan_count=22455031, drop_count=0, exec_time=1655194429, api_et=1655179980.000000000, api_lt=1655194380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179980.000000000, search_lt=1655194380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22455031, total_slices=1486720, decompressed_slices=397491, duration.command.search.index=8329, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62980, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11933593, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:13:25.710, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194320_61254', total_run_time=14.53, event_count=0, result_count=0, available_count=0, scan_count=22453017, drop_count=0, exec_time=1655194369, api_et=1655179920.000000000, api_lt=1655194320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179920.000000000, search_lt=1655194320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22453017, total_slices=1484868, decompressed_slices=397524, duration.command.search.index=8056, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61304, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11934482, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:12:25.831, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194260_61236', total_run_time=14.42, event_count=0, result_count=0, available_count=0, scan_count=22449977, drop_count=0, exec_time=1655194309, api_et=1655179860.000000000, api_lt=1655194260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179860.000000000, search_lt=1655194260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3233", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22449977, total_slices=1483234, decompressed_slices=397421, duration.command.search.index=7967, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61100, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11936770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:11:25.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655194260_61218', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655194265, api_et=1655190660.000000000, api_lt=1655194260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655190660.000000000, search_lt=1655194267.669365000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3108", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b395bf8fccfcea0f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=66, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:11:25.620, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194200_61208', total_run_time=14.49, event_count=0, result_count=0, available_count=0, scan_count=22452549, drop_count=0, exec_time=1655194248, api_et=1655179800.000000000, api_lt=1655194200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179800.000000000, search_lt=1655194200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3149", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22452549, total_slices=1481526, decompressed_slices=397390, duration.command.search.index=7939, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61039, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11939256, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:10:25.620, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194140_61191', total_run_time=14.95, event_count=0, result_count=0, available_count=0, scan_count=22449532, drop_count=0, exec_time=1655194190, api_et=1655179740.000000000, api_lt=1655194140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179740.000000000, search_lt=1655194140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22449532, total_slices=1479871, decompressed_slices=397305, duration.command.search.index=7803, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63162, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11938175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:09:55.733, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655194140_61183', total_run_time=22.99, event_count=0, result_count=0, available_count=0, scan_count=4670825, drop_count=0, exec_time=1655194146, api_et=1655189940.000000000, api_lt=1655193540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655189940.000000000, search_lt=1655193540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3044", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cf410c1c37d8bc99", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=710, eliminated_buckets=367, considered_events=4670825, total_slices=1093203, decompressed_slices=215980, duration.command.search.index=1835, invocations.command.search.index.bucketcache.hit=710, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34274, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:09:26.031, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194080_61175', total_run_time=14.01, event_count=0, result_count=0, available_count=0, scan_count=22441729, drop_count=0, exec_time=1655194129, api_et=1655179680.000000000, api_lt=1655194080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179680.000000000, search_lt=1655194080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22441729, total_slices=1478003, decompressed_slices=397172, duration.command.search.index=8112, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58541, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11935534, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:08:26.380, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655194020_61162', total_run_time=18.54, event_count=1174, result_count=57, available_count=0, scan_count=357210, drop_count=0, exec_time=1655194080, api_et=1655190420.000000000, api_lt=1655194020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655190420.000000000, search_lt=1655194082.478103000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3005", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=203, considered_events=362365, total_slices=456744, decompressed_slices=103004, duration.command.search.index=3261, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28043, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=294084, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34622, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 08:08:25.651, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655194020_61159', total_run_time=14.02, event_count=0, result_count=0, available_count=0, scan_count=22438464, drop_count=0, exec_time=1655194069, api_et=1655179620.000000000, api_lt=1655194020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179620.000000000, search_lt=1655194020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22438464, total_slices=1476262, decompressed_slices=397154, duration.command.search.index=8380, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56456, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11937655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:07:56.031, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655194020_61154', total_run_time=4.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655194046, api_et=1655190420.000000000, api_lt=1655194020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655190420.000000000, search_lt=1655194048.662723000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fe86fa30b4a15b88", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=698, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 08:07:26.061, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193960_61137', total_run_time=17.13, event_count=0, result_count=0, available_count=0, scan_count=22436201, drop_count=0, exec_time=1655194010, api_et=1655179560.000000000, api_lt=1655193960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179560.000000000, search_lt=1655193960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22436201, total_slices=1474520, decompressed_slices=397104, duration.command.search.index=8832, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65312, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11939996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:06:26.364, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193900_61123', total_run_time=14.93, event_count=0, result_count=0, available_count=0, scan_count=22436155, drop_count=0, exec_time=1655193950, api_et=1655179500.000000000, api_lt=1655193900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179500.000000000, search_lt=1655193900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3462", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22436155, total_slices=1472835, decompressed_slices=397130, duration.command.search.index=8338, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62014, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11941372, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:05:26.283, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193840_61106', total_run_time=16.07, event_count=0, result_count=0, available_count=0, scan_count=22434901, drop_count=0, exec_time=1655193889, api_et=1655179440.000000000, api_lt=1655193840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179440.000000000, search_lt=1655193840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=22434901, total_slices=1471138, decompressed_slices=397001, duration.command.search.index=9030, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70540, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11940883, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:04:26.102, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193780_61065', total_run_time=16.18, event_count=0, result_count=0, available_count=0, scan_count=22429853, drop_count=0, exec_time=1655193830, api_et=1655179380.000000000, api_lt=1655193780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179380.000000000, search_lt=1655193780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=22429853, total_slices=1469213, decompressed_slices=396837, duration.command.search.index=9781, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72807, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11937867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:03:25.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193720_61016', total_run_time=15.76, event_count=0, result_count=0, available_count=0, scan_count=22427166, drop_count=0, exec_time=1655193769, api_et=1655179320.000000000, api_lt=1655193720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179320.000000000, search_lt=1655193720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2582", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=22427166, total_slices=1467206, decompressed_slices=396770, duration.command.search.index=8728, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68669, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11937089, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:02:25.824, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193660_60985', total_run_time=16.75, event_count=0, result_count=0, available_count=0, scan_count=22425263, drop_count=0, exec_time=1655193709, api_et=1655179260.000000000, api_lt=1655193660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179260.000000000, search_lt=1655193660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2512", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=2, considered_events=22425263, total_slices=1465240, decompressed_slices=396756, duration.command.search.index=9599, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73700, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11940486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 08:01:25.887, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655193600_60954', total_run_time=18.32, event_count=0, result_count=0, available_count=0, scan_count=22424153, drop_count=0, exec_time=1655193649, api_et=1655179200.000000000, api_lt=1655193600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179200.000000000, search_lt=1655193600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=22424153, total_slices=1489880, decompressed_slices=396664, duration.command.search.index=9289, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75415, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11941095, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 07:44:25.786, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655192580_60668', total_run_time=20.48, event_count=0, result_count=0, available_count=0, scan_count=3131, drop_count=0, exec_time=1655192618, api_et=1655188980.000000000, api_lt=1655192580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655188980.000000000, search_lt=1655192620.028324000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_051603241bea1263", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3131, total_slices=890548, decompressed_slices=1085, duration.command.search.index=1058, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4663, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 07:34:26.209, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655191980_60467', total_run_time=48.68, event_count=0, result_count=0, available_count=0, scan_count=41545912, drop_count=0, exec_time=1655192006, api_et=1655188380.000000000, api_lt=1655191980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655188380.000000000, search_lt=1655192007.915469000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3342", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c0c5ac1104678e4c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1821, eliminated_buckets=106, considered_events=41545912, total_slices=14459945, decompressed_slices=4431611, duration.command.search.index=16933, invocations.command.search.index.bucketcache.hit=1821, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=248315, invocations.command.search.rawdata.bucketcache.hit=313, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 07:16:55.523, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655190960_60126', total_run_time=21.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655190970, api_et=1655186760.000000000, api_lt=1655190360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655187360.000000000, search_lt=1655190972.296989000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3258", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0558e7d86d3a9908", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=996, eliminated_buckets=296, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1315, invocations.command.search.index.bucketcache.hit=996, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 07:14:55.530, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655190840_60086', total_run_time=5.54, event_count=0, result_count=0, available_count=0, scan_count=19359, drop_count=0, exec_time=1655190863, api_et=1655187240.000000000, api_lt=1655190840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655187240.000000000, search_lt=1655190865.059005000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=285, considered_events=19609, total_slices=471212, decompressed_slices=3114, duration.command.search.index=1223, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5872, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=121, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=319, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=74, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=77, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 07:11:14.331, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655190660_60020', total_run_time=5.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655190664, api_et=1655187060.000000000, api_lt=1655190660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655187060.000000000, search_lt=1655190667.161466000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3479", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eff754ff4bc001a5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 07:10:51.619, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655190540_59989', total_run_time=21.64, event_count=0, result_count=0, available_count=0, scan_count=4965672, drop_count=0, exec_time=1655190547, api_et=1655186340.000000000, api_lt=1655189940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655186340.000000000, search_lt=1655189940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_506922a6a61f4848", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=701, eliminated_buckets=373, considered_events=4965672, total_slices=1090356, decompressed_slices=218967, duration.command.search.index=1847, invocations.command.search.index.bucketcache.hit=701, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34050, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=96, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 07:08:36.268, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655190420_59971', total_run_time=16.99, event_count=1182, result_count=66, available_count=0, scan_count=356926, drop_count=0, exec_time=1655190480, api_et=1655186820.000000000, api_lt=1655190420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655186820.000000000, search_lt=1655190482.214598000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2914", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=202, considered_events=362549, total_slices=504717, decompressed_slices=113522, duration.command.search.index=3266, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28575, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=290230, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32221, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 07:07:36.438, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655190420_59966', total_run_time=5.75, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655190446, api_et=1655186820.000000000, api_lt=1655190420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655186820.000000000, search_lt=1655190448.465416000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c2c9652857f374e4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=202, considered_events=1, total_slices=2501, decompressed_slices=1, duration.command.search.index=826, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=134, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:44:23.314, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655188980_59495', total_run_time=21.33, event_count=0, result_count=0, available_count=0, scan_count=3723, drop_count=0, exec_time=1655189018, api_et=1655185380.000000000, api_lt=1655188980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655185380.000000000, search_lt=1655189020.505696000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2797", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d44eb399dd0cf58f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3723, total_slices=962866, decompressed_slices=1045, duration.command.search.index=1308, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4800, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:37:09.993, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655188380_59285', total_run_time=40.06, event_count=0, result_count=0, available_count=0, scan_count=41022071, drop_count=0, exec_time=1655188405, api_et=1655184780.000000000, api_lt=1655188380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655184780.000000000, search_lt=1655188407.605740000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9864e5d677e5f314", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1815, eliminated_buckets=105, considered_events=41022071, total_slices=14571754, decompressed_slices=4366451, duration.command.search.index=14539, invocations.command.search.index.bucketcache.hit=1814, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236812, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:17:01.940, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655187360_58930', total_run_time=35.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655187371, api_et=1655183160.000000000, api_lt=1655186760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655183760.000000000, search_lt=1655187373.056351000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e9ef52b9cd7fbdab", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=996, eliminated_buckets=295, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=809, invocations.command.search.index.bucketcache.hit=996, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:14:32.042, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655187240_58890', total_run_time=6.73, event_count=0, result_count=0, available_count=0, scan_count=13312, drop_count=0, exec_time=1655187263, api_et=1655183640.000000000, api_lt=1655187240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655183640.000000000, search_lt=1655187265.272642000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=284, considered_events=13706, total_slices=496118, decompressed_slices=2628, duration.command.search.index=1431, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6003, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=138, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=376, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=88, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=95, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 06:11:22.740, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655187060_58822', total_run_time=5.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655187064, api_et=1655183460.000000000, api_lt=1655187060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655183460.000000000, search_lt=1655187066.475638000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0dfdcb6130a53dde", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:11:03.262, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655186940_58789', total_run_time=21.75, event_count=0, result_count=0, available_count=0, scan_count=4740204, drop_count=0, exec_time=1655186945, api_et=1655182740.000000000, api_lt=1655186340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655182740.000000000, search_lt=1655186340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2957", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4c2826e6ad6729c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=666, eliminated_buckets=354, considered_events=4740204, total_slices=1096137, decompressed_slices=215827, duration.command.search.index=2090, invocations.command.search.index.bucketcache.hit=666, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35034, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 06:08:38.908, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655186820_58768', total_run_time=20.84, event_count=1078, result_count=56, available_count=0, scan_count=328037, drop_count=0, exec_time=1655186880, api_et=1655183220.000000000, api_lt=1655186820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655183220.000000000, search_lt=1655186881.912927000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=205, considered_events=340094, total_slices=623216, decompressed_slices=91873, duration.command.search.index=3901, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28164, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=267207, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28848, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 06:07:39.172, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655186820_58763', total_run_time=8.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655186846, api_et=1655183220.000000000, api_lt=1655186820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655183220.000000000, search_lt=1655186848.244800000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_22a443ad9611559c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=205, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=996, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:44:28.710, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655185380_58293', total_run_time=27.21, event_count=0, result_count=0, available_count=0, scan_count=2949, drop_count=0, exec_time=1655185418, api_et=1655181780.000000000, api_lt=1655185380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181780.000000000, search_lt=1655185420.407094000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c0c18a15a19e4096", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=2949, total_slices=944743, decompressed_slices=964, duration.command.search.index=1263, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5054, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:35:23.176, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655184780_58088', total_run_time=37.84, event_count=0, result_count=0, available_count=0, scan_count=41159602, drop_count=0, exec_time=1655184805, api_et=1655181180.000000000, api_lt=1655184780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655181180.000000000, search_lt=1655184807.312164000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0bb69b8f489f2fa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1812, eliminated_buckets=105, considered_events=41159602, total_slices=14638694, decompressed_slices=4378309, duration.command.search.index=16407, invocations.command.search.index.bucketcache.hit=1812, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=235193, invocations.command.search.rawdata.bucketcache.hit=308, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:16:26.042, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655183760_57749', total_run_time=9.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655183770, api_et=1655179560.000000000, api_lt=1655183160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180160.000000000, search_lt=1655183772.566916000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3237", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a569584240d87237", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=994, eliminated_buckets=295, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=695, invocations.command.search.index.bucketcache.hit=994, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:14:55.915, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655183640_57708', total_run_time=23.69, event_count=0, result_count=0, available_count=0, scan_count=19820, drop_count=0, exec_time=1655183663, api_et=1655180040.000000000, api_lt=1655183640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655180040.000000000, search_lt=1655183665.780264000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3011", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=281, considered_events=20491, total_slices=564397, decompressed_slices=3745, duration.command.search.index=1457, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=8112, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=53, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=111, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=309, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=73, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 05:11:25.994, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655183460_57643', total_run_time=4.88, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1655183465, api_et=1655179860.000000000, api_lt=1655183460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179860.000000000, search_lt=1655183466.957362000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3ea547a9da465b41", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=49, considered_events=3, total_slices=2824, decompressed_slices=2, duration.command.search.index=42, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:10:45.349, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655183340_57612', total_run_time=78.30, event_count=0, result_count=0, available_count=0, scan_count=4770181, drop_count=0, exec_time=1655183346, api_et=1655179140.000000000, api_lt=1655182740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179140.000000000, search_lt=1655182740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3086", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0a775e1801c7ba4f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=645, eliminated_buckets=363, considered_events=4770181, total_slices=966625, decompressed_slices=218633, duration.command.search.index=2944, invocations.command.search.index.bucketcache.hit=645, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58995, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=50, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:10:22.764, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655183220_57594', total_run_time=37.39, event_count=1210, result_count=55, available_count=0, scan_count=354071, drop_count=0, exec_time=1655183280, api_et=1655179620.000000000, api_lt=1655183220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179620.000000000, search_lt=1655183282.492661000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=363281, total_slices=680762, decompressed_slices=98642, duration.command.search.index=10196, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106071, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=292884, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32380, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 05:08:01.822, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655183220_57588', total_run_time=18.58, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655183246, api_et=1655179620.000000000, api_lt=1655183220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655179620.000000000, search_lt=1655183248.417951000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bdea19215d7b54da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2329, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 05:00:31.706, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182740_57393', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=22447905, drop_count=0, exec_time=1655182789, api_et=1655168340.000000000, api_lt=1655182740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168340.000000000, search_lt=1655182740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22447905, total_slices=1470743, decompressed_slices=408394, duration.command.search.index=7838, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61024, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727016, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:59:28.909, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182680_57380', total_run_time=14.09, event_count=0, result_count=0, available_count=0, scan_count=22455256, drop_count=0, exec_time=1655182729, api_et=1655168280.000000000, api_lt=1655182680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168280.000000000, search_lt=1655182680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22455256, total_slices=1468962, decompressed_slices=408513, duration.command.search.index=8152, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59851, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728611, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:58:31.841, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182620_57365', total_run_time=14.33, event_count=0, result_count=0, available_count=0, scan_count=22461661, drop_count=0, exec_time=1655182669, api_et=1655168220.000000000, api_lt=1655182620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168220.000000000, search_lt=1655182620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22461661, total_slices=1467116, decompressed_slices=408679, duration.command.search.index=8497, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58911, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727729, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:57:31.496, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182560_57348', total_run_time=13.41, event_count=0, result_count=0, available_count=0, scan_count=22469267, drop_count=0, exec_time=1655182609, api_et=1655168160.000000000, api_lt=1655182560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168160.000000000, search_lt=1655182560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22469267, total_slices=1465107, decompressed_slices=408781, duration.command.search.index=8348, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56093, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728602, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:56:31.758, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182500_57337', total_run_time=14.43, event_count=0, result_count=0, available_count=0, scan_count=22474995, drop_count=0, exec_time=1655182549, api_et=1655168100.000000000, api_lt=1655182500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168100.000000000, search_lt=1655182500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2666", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22474995, total_slices=1463613, decompressed_slices=408950, duration.command.search.index=8751, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60770, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728372, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:55:31.499, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182440_57322', total_run_time=13.29, event_count=0, result_count=0, available_count=0, scan_count=22484019, drop_count=0, exec_time=1655182489, api_et=1655168040.000000000, api_lt=1655182440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168040.000000000, search_lt=1655182440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22484019, total_slices=1462062, decompressed_slices=409145, duration.command.search.index=8267, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58023, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727393, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:54:31.613, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182380_57305', total_run_time=13.23, event_count=0, result_count=0, available_count=0, scan_count=22491824, drop_count=0, exec_time=1655182429, api_et=1655167980.000000000, api_lt=1655182380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167980.000000000, search_lt=1655182380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3113", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22491824, total_slices=1460388, decompressed_slices=409342, duration.command.search.index=8238, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56574, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:53:31.475, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182320_57282', total_run_time=15.04, event_count=0, result_count=0, available_count=0, scan_count=22500807, drop_count=0, exec_time=1655182369, api_et=1655167920.000000000, api_lt=1655182320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167920.000000000, search_lt=1655182320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22500807, total_slices=1484487, decompressed_slices=409466, duration.command.search.index=8661, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61885, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11731548, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:52:31.888, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182260_57265', total_run_time=13.11, event_count=0, result_count=0, available_count=0, scan_count=22507042, drop_count=0, exec_time=1655182309, api_et=1655167860.000000000, api_lt=1655182260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167860.000000000, search_lt=1655182260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22507042, total_slices=1482853, decompressed_slices=409580, duration.command.search.index=8766, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61271, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11732144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:51:32.132, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182200_57241', total_run_time=16.42, event_count=0, result_count=0, available_count=0, scan_count=22515823, drop_count=0, exec_time=1655182250, api_et=1655167800.000000000, api_lt=1655182200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167800.000000000, search_lt=1655182200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22515823, total_slices=1481261, decompressed_slices=409784, duration.command.search.index=9338, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68373, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11733372, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:50:17.816, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182080_57196', total_run_time=14.62, event_count=0, result_count=0, available_count=0, scan_count=22540791, drop_count=0, exec_time=1655182129, api_et=1655167680.000000000, api_lt=1655182080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167680.000000000, search_lt=1655182080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22540791, total_slices=1477801, decompressed_slices=410366, duration.command.search.index=8744, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61493, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11738518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:50:16.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182140_57217', total_run_time=14.49, event_count=0, result_count=0, available_count=0, scan_count=22529086, drop_count=0, exec_time=1655182190, api_et=1655167740.000000000, api_lt=1655182140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167740.000000000, search_lt=1655182140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2601", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22529086, total_slices=1479488, decompressed_slices=410048, duration.command.search.index=8367, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56713, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11736042, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:48:24.558, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655182020_57180', total_run_time=12.53, event_count=0, result_count=0, available_count=0, scan_count=22549380, drop_count=0, exec_time=1655182069, api_et=1655167620.000000000, api_lt=1655182020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167620.000000000, search_lt=1655182020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22549380, total_slices=1476013, decompressed_slices=410639, duration.command.search.index=8248, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60551, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11740130, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:47:24.610, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181960_57159', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=22554540, drop_count=0, exec_time=1655182009, api_et=1655167560.000000000, api_lt=1655181960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167560.000000000, search_lt=1655181960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22554540, total_slices=1474391, decompressed_slices=410764, duration.command.search.index=8287, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56633, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11739698, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:46:24.508, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181900_57141', total_run_time=12.79, event_count=0, result_count=0, available_count=0, scan_count=22562687, drop_count=0, exec_time=1655181949, api_et=1655167500.000000000, api_lt=1655181900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167500.000000000, search_lt=1655181900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22562687, total_slices=1472674, decompressed_slices=410906, duration.command.search.index=8193, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57178, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11739169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:45:24.350, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181840_57118', total_run_time=14.10, event_count=0, result_count=0, available_count=0, scan_count=22575239, drop_count=0, exec_time=1655181890, api_et=1655167440.000000000, api_lt=1655181840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167440.000000000, search_lt=1655181840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3125", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22575239, total_slices=1471043, decompressed_slices=411215, duration.command.search.index=8443, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58659, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11742101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:44:24.381, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181780_57097', total_run_time=13.19, event_count=0, result_count=0, available_count=0, scan_count=22587071, drop_count=0, exec_time=1655181829, api_et=1655167380.000000000, api_lt=1655181780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167380.000000000, search_lt=1655181780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3266", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22587071, total_slices=1469228, decompressed_slices=411407, duration.command.search.index=8509, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59651, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11744831, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:44:24.351, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655181780_57094', total_run_time=22.84, event_count=0, result_count=0, available_count=0, scan_count=3172, drop_count=0, exec_time=1655181818, api_et=1655178180.000000000, api_lt=1655181780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655178180.000000000, search_lt=1655181820.471859000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2879", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_93dbacc25f889a16", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3172, total_slices=923693, decompressed_slices=1106, duration.command.search.index=1106, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4819, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:43:24.770, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181720_57069', total_run_time=15.34, event_count=0, result_count=0, available_count=0, scan_count=22597327, drop_count=0, exec_time=1655181770, api_et=1655167320.000000000, api_lt=1655181720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167320.000000000, search_lt=1655181720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22597327, total_slices=1467575, decompressed_slices=411645, duration.command.search.index=9371, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62142, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11745437, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:42:24.641, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181660_57046', total_run_time=15.34, event_count=0, result_count=0, available_count=0, scan_count=22609163, drop_count=0, exec_time=1655181709, api_et=1655167260.000000000, api_lt=1655181660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167260.000000000, search_lt=1655181660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22609163, total_slices=1465898, decompressed_slices=411890, duration.command.search.index=9072, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63182, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11747627, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:41:24.364, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181600_57021', total_run_time=13.74, event_count=0, result_count=0, available_count=0, scan_count=22615900, drop_count=0, exec_time=1655181650, api_et=1655167200.000000000, api_lt=1655181600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167200.000000000, search_lt=1655181600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22615900, total_slices=1464331, decompressed_slices=412061, duration.command.search.index=8846, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61007, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11747975, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:40:18.402, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181480_56981', total_run_time=16.09, event_count=0, result_count=0, available_count=0, scan_count=22633151, drop_count=0, exec_time=1655181529, api_et=1655167080.000000000, api_lt=1655181480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167080.000000000, search_lt=1655181480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2906", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22633151, total_slices=1460883, decompressed_slices=412355, duration.command.search.index=9017, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64192, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11751379, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:40:18.262, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181540_56998', total_run_time=14.09, event_count=0, result_count=0, available_count=0, scan_count=22621909, drop_count=0, exec_time=1655181590, api_et=1655167140.000000000, api_lt=1655181540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167140.000000000, search_lt=1655181540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22621909, total_slices=1462589, decompressed_slices=412227, duration.command.search.index=8101, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60081, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11748335, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:38:44.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181420_56968', total_run_time=30.03, event_count=0, result_count=0, available_count=0, scan_count=22642200, drop_count=0, exec_time=1655181470, api_et=1655167020.000000000, api_lt=1655181420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167020.000000000, search_lt=1655181420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22642200, total_slices=1459180, decompressed_slices=412498, duration.command.search.index=15303, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=184684, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11753268, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:37:14.257, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181360_56953', total_run_time=14.79, event_count=0, result_count=0, available_count=0, scan_count=22651957, drop_count=0, exec_time=1655181410, api_et=1655166960.000000000, api_lt=1655181360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166960.000000000, search_lt=1655181360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22651957, total_slices=1457348, decompressed_slices=412621, duration.command.search.index=8663, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59067, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11753183, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:36:45.042, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181300_56943', total_run_time=31.80, event_count=0, result_count=0, available_count=0, scan_count=22661541, drop_count=0, exec_time=1655181350, api_et=1655166900.000000000, api_lt=1655181300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166900.000000000, search_lt=1655181300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22661541, total_slices=1455840, decompressed_slices=412842, duration.command.search.index=15826, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=195266, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11755797, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:35:10.541, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181240_56921', total_run_time=18.31, event_count=0, result_count=0, available_count=0, scan_count=22665401, drop_count=0, exec_time=1655181290, api_et=1655166840.000000000, api_lt=1655181240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166840.000000000, search_lt=1655181240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=22665401, total_slices=1453940, decompressed_slices=412912, duration.command.search.index=9492, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65491, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11757354, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:35:09.228, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181180_56886', total_run_time=17.17, event_count=0, result_count=0, available_count=0, scan_count=22676777, drop_count=0, exec_time=1655181229, api_et=1655166780.000000000, api_lt=1655181180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166780.000000000, search_lt=1655181180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=22676777, total_slices=1452278, decompressed_slices=413141, duration.command.search.index=10201, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75009, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11760326, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:35:08.995, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655181180_56872', total_run_time=39.74, event_count=0, result_count=0, available_count=0, scan_count=41027002, drop_count=0, exec_time=1655181205, api_et=1655177580.000000000, api_lt=1655181180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655177580.000000000, search_lt=1655181207.499393000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3898", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1e368ea9fdf4267e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1824, eliminated_buckets=105, considered_events=41027002, total_slices=14459802, decompressed_slices=4394917, duration.command.search.index=17534, invocations.command.search.index.bucketcache.hit=1822, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232967, invocations.command.search.rawdata.bucketcache.hit=335, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:33:27.811, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181120_56848', total_run_time=21.88, event_count=0, result_count=0, available_count=0, scan_count=22689773, drop_count=0, exec_time=1655181169, api_et=1655166720.000000000, api_lt=1655181120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166720.000000000, search_lt=1655181120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2898", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=22689773, total_slices=1450505, decompressed_slices=413427, duration.command.search.index=11623, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97517, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11763586, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:32:27.960, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181060_56819', total_run_time=19.61, event_count=0, result_count=0, available_count=0, scan_count=22704114, drop_count=0, exec_time=1655181109, api_et=1655166660.000000000, api_lt=1655181060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166660.000000000, search_lt=1655181060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3174", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=22704114, total_slices=1448820, decompressed_slices=413619, duration.command.search.index=10626, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82392, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11766564, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:31:58.218, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655181000_56790', total_run_time=44.33, event_count=0, result_count=0, available_count=0, scan_count=22715691, drop_count=0, exec_time=1655181049, api_et=1655166600.000000000, api_lt=1655181000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166600.000000000, search_lt=1655181000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=22715691, total_slices=1447302, decompressed_slices=413762, duration.command.search.index=26663, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=247822, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11766862, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:30:43.057, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180940_56759', total_run_time=31.17, event_count=0, result_count=0, available_count=0, scan_count=22721069, drop_count=0, exec_time=1655180990, api_et=1655166540.000000000, api_lt=1655180940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166540.000000000, search_lt=1655180940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22721069, total_slices=1445376, decompressed_slices=413861, duration.command.search.index=11112, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=160530, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11766599, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:30:15.654, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180880_56746', total_run_time=13.32, event_count=0, result_count=0, available_count=0, scan_count=22730129, drop_count=0, exec_time=1655180929, api_et=1655166480.000000000, api_lt=1655180880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166480.000000000, search_lt=1655180880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2554", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22730129, total_slices=1443670, decompressed_slices=413989, duration.command.search.index=8149, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61130, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11769498, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:28:26.859, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180820_56732', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=22735246, drop_count=0, exec_time=1655180869, api_et=1655166420.000000000, api_lt=1655180820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166420.000000000, search_lt=1655180820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22735246, total_slices=1441974, decompressed_slices=414169, duration.command.search.index=8109, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62003, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11769697, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:27:26.930, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180760_56714', total_run_time=12.79, event_count=0, result_count=0, available_count=0, scan_count=22742067, drop_count=0, exec_time=1655180809, api_et=1655166360.000000000, api_lt=1655180760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166360.000000000, search_lt=1655180760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=22742067, total_slices=1440250, decompressed_slices=414243, duration.command.search.index=7997, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62769, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11770177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:26:27.080, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180700_56698', total_run_time=14.24, event_count=0, result_count=0, available_count=0, scan_count=22748425, drop_count=0, exec_time=1655180749, api_et=1655166300.000000000, api_lt=1655180700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166300.000000000, search_lt=1655180700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3230", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22748425, total_slices=1438580, decompressed_slices=414457, duration.command.search.index=8335, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61341, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11771089, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:25:26.894, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180640_56684', total_run_time=13.66, event_count=0, result_count=0, available_count=0, scan_count=22759688, drop_count=0, exec_time=1655180689, api_et=1655166240.000000000, api_lt=1655180640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166240.000000000, search_lt=1655180640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22759688, total_slices=1436940, decompressed_slices=414536, duration.command.search.index=8383, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57908, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11773699, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:24:08.401, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180580_56665', total_run_time=12.98, event_count=0, result_count=0, available_count=0, scan_count=22763880, drop_count=0, exec_time=1655180629, api_et=1655166180.000000000, api_lt=1655180580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166180.000000000, search_lt=1655180580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22763880, total_slices=1435239, decompressed_slices=414683, duration.command.search.index=8221, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57992, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11775653, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:23:27.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180520_56633', total_run_time=14.55, event_count=0, result_count=0, available_count=0, scan_count=22771658, drop_count=0, exec_time=1655180569, api_et=1655166120.000000000, api_lt=1655180520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166120.000000000, search_lt=1655180520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22771658, total_slices=1433609, decompressed_slices=414805, duration.command.search.index=8171, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60916, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11779783, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:22:27.062, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180460_56617', total_run_time=13.71, event_count=0, result_count=0, available_count=0, scan_count=22782281, drop_count=0, exec_time=1655180509, api_et=1655166060.000000000, api_lt=1655180460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166060.000000000, search_lt=1655180460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22782281, total_slices=1431922, decompressed_slices=415102, duration.command.search.index=8693, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59709, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11782258, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:21:26.888, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180400_56588', total_run_time=15.30, event_count=0, result_count=0, available_count=0, scan_count=22795359, drop_count=0, exec_time=1655180449, api_et=1655166000.000000000, api_lt=1655180400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166000.000000000, search_lt=1655180400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22795359, total_slices=1430179, decompressed_slices=415290, duration.command.search.index=9012, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63735, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11787804, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:20:21.104, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180340_56565', total_run_time=14.38, event_count=0, result_count=0, available_count=0, scan_count=22806915, drop_count=0, exec_time=1655180389, api_et=1655165940.000000000, api_lt=1655180340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165940.000000000, search_lt=1655180340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22806915, total_slices=1428646, decompressed_slices=415430, duration.command.search.index=8170, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61726, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11791640, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:20:20.511, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180280_56539', total_run_time=14.94, event_count=0, result_count=0, available_count=0, scan_count=22811906, drop_count=0, exec_time=1655180329, api_et=1655165880.000000000, api_lt=1655180280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165880.000000000, search_lt=1655180280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2821", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22811906, total_slices=1426846, decompressed_slices=415435, duration.command.search.index=8792, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64903, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11793485, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:18:11.245, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180220_56519', total_run_time=13.71, event_count=0, result_count=0, available_count=0, scan_count=22822048, drop_count=0, exec_time=1655180269, api_et=1655165820.000000000, api_lt=1655180220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165820.000000000, search_lt=1655180220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22822048, total_slices=1425163, decompressed_slices=415535, duration.command.search.index=8440, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64231, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11797669, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:17:10.989, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180160_56496', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=22836838, drop_count=0, exec_time=1655180209, api_et=1655165760.000000000, api_lt=1655180160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165760.000000000, search_lt=1655180160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22836838, total_slices=1423408, decompressed_slices=415734, duration.command.search.index=8176, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61090, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11798855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:16:41.079, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655180160_56490', total_run_time=8.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655180170, api_et=1655175960.000000000, api_lt=1655179560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655176560.000000000, search_lt=1655180172.703083000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_14a0c4153230ec17", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=995, eliminated_buckets=299, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=625, invocations.command.search.index.bucketcache.hit=995, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:16:10.987, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180100_56478', total_run_time=13.89, event_count=0, result_count=0, available_count=0, scan_count=22846626, drop_count=0, exec_time=1655180149, api_et=1655165700.000000000, api_lt=1655180100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165700.000000000, search_lt=1655180100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22846626, total_slices=1421748, decompressed_slices=415854, duration.command.search.index=8348, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64473, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11801209, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:15:03.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179980_56436', total_run_time=12.72, event_count=0, result_count=0, available_count=0, scan_count=22865687, drop_count=0, exec_time=1655180029, api_et=1655165580.000000000, api_lt=1655179980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165580.000000000, search_lt=1655179980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22865687, total_slices=1418416, decompressed_slices=416084, duration.command.search.index=8283, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61597, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11806407, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:15:03.254, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655180040_56459', total_run_time=13.17, event_count=0, result_count=0, available_count=0, scan_count=22859376, drop_count=0, exec_time=1655180089, api_et=1655165640.000000000, api_lt=1655180040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165640.000000000, search_lt=1655180040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22859376, total_slices=1420104, decompressed_slices=416043, duration.command.search.index=8270, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61294, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11804213, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:15:02.699, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655180040_56446', total_run_time=4.49, event_count=0, result_count=0, available_count=0, scan_count=12330, drop_count=0, exec_time=1655180063, api_et=1655176440.000000000, api_lt=1655180040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655176440.000000000, search_lt=1655180065.871631000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2925", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=280, considered_events=12411, total_slices=623718, decompressed_slices=2754, duration.command.search.index=938, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5828, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=128, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=362, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=84, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=123, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 04:13:19.904, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179920_56409', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=22871614, drop_count=0, exec_time=1655179969, api_et=1655165520.000000000, api_lt=1655179920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165520.000000000, search_lt=1655179920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22871614, total_slices=1442335, decompressed_slices=416214, duration.command.search.index=8144, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64379, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11807685, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:12:19.636, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179860_56391', total_run_time=13.34, event_count=0, result_count=0, available_count=0, scan_count=22883231, drop_count=0, exec_time=1655179909, api_et=1655165460.000000000, api_lt=1655179860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165460.000000000, search_lt=1655179860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3135", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22883231, total_slices=1441268, decompressed_slices=416370, duration.command.search.index=8385, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62430, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11811127, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:11:20.016, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179800_56366', total_run_time=14.73, event_count=0, result_count=0, available_count=0, scan_count=22892897, drop_count=0, exec_time=1655179849, api_et=1655165400.000000000, api_lt=1655179800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165400.000000000, search_lt=1655179800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22892897, total_slices=1439707, decompressed_slices=416489, duration.command.search.index=8707, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64816, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11813901, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:11:19.958, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655179860_56373', total_run_time=5.56, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655179864, api_et=1655176260.000000000, api_lt=1655179860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655176260.000000000, search_lt=1655179866.136646000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c473d79414e7ddd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=40, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:10:19.991, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179740_56344', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=22909363, drop_count=0, exec_time=1655179789, api_et=1655165340.000000000, api_lt=1655179740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165340.000000000, search_lt=1655179740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22909363, total_slices=1437890, decompressed_slices=416764, duration.command.search.index=8336, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61004, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11816751, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:09:49.963, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655179740_56336', total_run_time=26.79, event_count=0, result_count=0, available_count=0, scan_count=4893882, drop_count=0, exec_time=1655179745, api_et=1655175540.000000000, api_lt=1655179140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655175540.000000000, search_lt=1655179140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3051", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7917575c91979b5b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=698, eliminated_buckets=375, considered_events=4893882, total_slices=950551, decompressed_slices=207771, duration.command.search.index=2002, invocations.command.search.index.bucketcache.hit=698, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34498, invocations.command.search.rawdata.bucketcache.hit=79, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=59, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:09:19.718, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179680_56328', total_run_time=13.23, event_count=0, result_count=0, available_count=0, scan_count=22923318, drop_count=0, exec_time=1655179729, api_et=1655165280.000000000, api_lt=1655179680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165280.000000000, search_lt=1655179680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22923318, total_slices=1436059, decompressed_slices=417068, duration.command.search.index=8270, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62048, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11820157, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:08:49.712, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655179620_56320', total_run_time=16.85, event_count=1151, result_count=55, available_count=0, scan_count=354124, drop_count=0, exec_time=1655179684, api_et=1655176020.000000000, api_lt=1655179620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655176020.000000000, search_lt=1655179686.277264000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=199, considered_events=359706, total_slices=642375, decompressed_slices=102083, duration.command.search.index=3430, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28559, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=293826, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31215, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 04:08:10.707, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179620_56312', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=22935937, drop_count=0, exec_time=1655179669, api_et=1655165220.000000000, api_lt=1655179620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165220.000000000, search_lt=1655179620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2121", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=22935937, total_slices=1434423, decompressed_slices=417234, duration.command.search.index=8377, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63543, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11820538, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:07:52.328, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179560_56292', total_run_time=13.35, event_count=0, result_count=0, available_count=0, scan_count=22950423, drop_count=0, exec_time=1655179610, api_et=1655165160.000000000, api_lt=1655179560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165160.000000000, search_lt=1655179560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=22950423, total_slices=1432832, decompressed_slices=417479, duration.command.search.index=8688, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61722, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11821668, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:07:52.286, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179500_56277', total_run_time=15.10, event_count=0, result_count=0, available_count=0, scan_count=22962264, drop_count=0, exec_time=1655179550, api_et=1655165100.000000000, api_lt=1655179500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165100.000000000, search_lt=1655179500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2594", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=22962264, total_slices=1431153, decompressed_slices=417709, duration.command.search.index=9517, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64080, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11823296, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:07:50.605, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655179620_56307', total_run_time=5.58, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655179646, api_et=1655176020.000000000, api_lt=1655179620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655176020.000000000, search_lt=1655179648.316188000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7b6bd72f06026c70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=790, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 04:07:50.339, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179380_56218', total_run_time=20.19, event_count=0, result_count=0, available_count=0, scan_count=22993949, drop_count=0, exec_time=1655179429, api_et=1655164980.000000000, api_lt=1655179380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655164980.000000000, search_lt=1655179380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2303", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22993949, total_slices=1427740, decompressed_slices=418258, duration.command.search.index=11091, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83625, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11827896, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:07:49.820, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179440_56259', total_run_time=24.01, event_count=0, result_count=0, available_count=0, scan_count=22978583, drop_count=0, exec_time=1655179490, api_et=1655165040.000000000, api_lt=1655179440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165040.000000000, search_lt=1655179440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2805", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=22978583, total_slices=1429547, decompressed_slices=417975, duration.command.search.index=10411, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74830, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11825768, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:03:25.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179320_56170', total_run_time=16.93, event_count=0, result_count=0, available_count=0, scan_count=23009847, drop_count=0, exec_time=1655179369, api_et=1655164920.000000000, api_lt=1655179320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655164920.000000000, search_lt=1655179320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2738", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=23009847, total_slices=1426033, decompressed_slices=418541, duration.command.search.index=9460, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71188, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11831702, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:02:25.414, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179260_56140', total_run_time=16.70, event_count=0, result_count=0, available_count=0, scan_count=23024703, drop_count=0, exec_time=1655179309, api_et=1655164860.000000000, api_lt=1655179260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655164860.000000000, search_lt=1655179260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=23024703, total_slices=1424338, decompressed_slices=418830, duration.command.search.index=9999, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72222, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11832079, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 04:01:24.464, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655179200_56106', total_run_time=22.37, event_count=0, result_count=0, available_count=0, scan_count=23026465, drop_count=0, exec_time=1655179249, api_et=1655164800.000000000, api_lt=1655179200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655164800.000000000, search_lt=1655179200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2891", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=23026465, total_slices=1422557, decompressed_slices=418784, duration.command.search.index=10307, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76315, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11820709, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 03:44:19.812, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655178180_55811', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=3613, drop_count=0, exec_time=1655178218, api_et=1655174580.000000000, api_lt=1655178180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655174580.000000000, search_lt=1655178220.180748000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d0010102d2c08ba9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3613, total_slices=877941, decompressed_slices=1040, duration.command.search.index=1167, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4901, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 03:37:52.598, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655177580_55603', total_run_time=38.55, event_count=0, result_count=0, available_count=0, scan_count=40969595, drop_count=0, exec_time=1655177605, api_et=1655173980.000000000, api_lt=1655177580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655173980.000000000, search_lt=1655177607.212732000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3686", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_85067a3769f50780", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1837, eliminated_buckets=126, considered_events=40969595, total_slices=14714556, decompressed_slices=4374784, duration.command.search.index=14297, invocations.command.search.index.bucketcache.hit=1833, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232960, invocations.command.search.rawdata.bucketcache.hit=346, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 03:16:39.395, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655176560_55259', total_run_time=9.70, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655176570, api_et=1655172360.000000000, api_lt=1655175960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655172960.000000000, search_lt=1655176572.353095000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3224", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_be6864acf4f07d10", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1004, eliminated_buckets=311, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=720, invocations.command.search.index.bucketcache.hit=1004, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 03:14:39.472, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655176440_55218', total_run_time=4.34, event_count=0, result_count=0, available_count=0, scan_count=12278, drop_count=0, exec_time=1655176463, api_et=1655172840.000000000, api_lt=1655176440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655172840.000000000, search_lt=1655176465.319789000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=278, considered_events=12278, total_slices=703293, decompressed_slices=2774, duration.command.search.index=987, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5682, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=189, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=520, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=125, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=96, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 03:11:39.471, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655176260_55153', total_run_time=5.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655176265, api_et=1655172660.000000000, api_lt=1655176260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655172660.000000000, search_lt=1655176266.947092000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4a1b526dafe9e8e1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=40, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 03:09:39.779, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655176140_55118', total_run_time=20.75, event_count=0, result_count=0, available_count=0, scan_count=4595416, drop_count=0, exec_time=1655176145, api_et=1655171940.000000000, api_lt=1655175540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655171940.000000000, search_lt=1655175540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3133", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2dadc58af25dd4de", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=792, eliminated_buckets=364, considered_events=4595416, total_slices=1089989, decompressed_slices=208959, duration.command.search.index=2110, invocations.command.search.index.bucketcache.hit=788, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32597, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 03:08:39.674, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655176020_55100', total_run_time=14.27, event_count=1102, result_count=55, available_count=0, scan_count=362269, drop_count=0, exec_time=1655176080, api_et=1655172420.000000000, api_lt=1655176020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655172420.000000000, search_lt=1655176082.197264000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=200, considered_events=367597, total_slices=596006, decompressed_slices=98899, duration.command.search.index=3287, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26364, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=298623, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30381, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 03:07:40.100, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655176020_55095', total_run_time=4.98, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655176046, api_et=1655172420.000000000, api_lt=1655176020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655172420.000000000, search_lt=1655176048.550936000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2919", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b5d22ba731d08298", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=200, considered_events=1, total_slices=13490, decompressed_slices=1, duration.command.search.index=677, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=129, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:44:08.320, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655174580_54606', total_run_time=21.37, event_count=0, result_count=0, available_count=0, scan_count=3224, drop_count=0, exec_time=1655174618, api_et=1655170980.000000000, api_lt=1655174580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655170980.000000000, search_lt=1655174620.471597000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a910a5906de14a4f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3224, total_slices=970735, decompressed_slices=907, duration.command.search.index=1112, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4826, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:36:26.229, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655173980_54399', total_run_time=36.23, event_count=0, result_count=0, available_count=0, scan_count=40935931, drop_count=0, exec_time=1655174005, api_et=1655170380.000000000, api_lt=1655173980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655170380.000000000, search_lt=1655174007.562708000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ebf87ab82a104864", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1869, eliminated_buckets=126, considered_events=40935931, total_slices=15077038, decompressed_slices=4364954, duration.command.search.index=14756, invocations.command.search.index.bucketcache.hit=1868, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=234821, invocations.command.search.rawdata.bucketcache.hit=322, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:16:38.934, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655172960_54050', total_run_time=15.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655172971, api_et=1655168760.000000000, api_lt=1655172360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655169360.000000000, search_lt=1655172973.072516000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fe6e06259154185f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=998, eliminated_buckets=311, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1163, invocations.command.search.index.bucketcache.hit=998, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:14:39.087, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655172840_54010', total_run_time=4.18, event_count=0, result_count=0, available_count=0, scan_count=15648, drop_count=0, exec_time=1655172863, api_et=1655169240.000000000, api_lt=1655172840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655169240.000000000, search_lt=1655172865.447874000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2908", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=276, considered_events=15678, total_slices=768257, decompressed_slices=3120, duration.command.search.index=1068, invocations.command.search.index.bucketcache.hit=404, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5864, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=198, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=659, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=128, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 02:11:38.986, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655172660_53944', total_run_time=5.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655172664, api_et=1655169060.000000000, api_lt=1655172660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655169060.000000000, search_lt=1655172667.084213000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3180", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5b8368376b9a6874", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=43, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:09:38.981, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655172540_53913', total_run_time=23.36, event_count=0, result_count=0, available_count=0, scan_count=4794691, drop_count=0, exec_time=1655172546, api_et=1655168340.000000000, api_lt=1655171940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168340.000000000, search_lt=1655171940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3009", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_626ff220d40bd92d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=789, eliminated_buckets=366, considered_events=4794691, total_slices=1066086, decompressed_slices=211375, duration.command.search.index=1915, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34583, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=92, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 02:08:38.723, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655172420_53894', total_run_time=15.93, event_count=2136, result_count=107, available_count=0, scan_count=457928, drop_count=0, exec_time=1655172480, api_et=1655168820.000000000, api_lt=1655172420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168820.000000000, search_lt=1655172482.334521000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=202, considered_events=464551, total_slices=575271, decompressed_slices=108080, duration.command.search.index=3656, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30601, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=381139, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 02:07:38.903, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655172420_53889', total_run_time=6.22, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655172446, api_et=1655168820.000000000, api_lt=1655172420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655168820.000000000, search_lt=1655172448.702811000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5300b385f1488bec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=202, considered_events=1, total_slices=11377, decompressed_slices=1, duration.command.search.index=807, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=132, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:43:59.833, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655170980_53423', total_run_time=20.87, event_count=0, result_count=0, available_count=0, scan_count=3144, drop_count=0, exec_time=1655171018, api_et=1655167380.000000000, api_lt=1655170980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655167380.000000000, search_lt=1655171020.697482000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b7a47cf21029d7d0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=3144, total_slices=1044795, decompressed_slices=1069, duration.command.search.index=1077, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4981, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:38:17.556, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655170380_53221', total_run_time=49.40, event_count=0, result_count=0, available_count=0, scan_count=40746036, drop_count=0, exec_time=1655170406, api_et=1655166780.000000000, api_lt=1655170380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655166780.000000000, search_lt=1655170408.512887000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b2d371f2cffe135d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1838, eliminated_buckets=126, considered_events=40746036, total_slices=14646365, decompressed_slices=4333230, duration.command.search.index=15414, invocations.command.search.index.bucketcache.hit=1834, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236892, invocations.command.search.rawdata.bucketcache.hit=280, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:16:32.725, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655169360_52879', total_run_time=9.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655169371, api_et=1655165160.000000000, api_lt=1655168760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165760.000000000, search_lt=1655169373.146577000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3275", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_77e1467f64a20c35", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1003, eliminated_buckets=317, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1238, invocations.command.search.index.bucketcache.hit=1003, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:14:32.873, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655169240_52832', total_run_time=5.00, event_count=0, result_count=0, available_count=0, scan_count=15221, drop_count=0, exec_time=1655169263, api_et=1655165640.000000000, api_lt=1655169240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165640.000000000, search_lt=1655169265.923321000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2912", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=280, considered_events=15396, total_slices=765029, decompressed_slices=3719, duration.command.search.index=1151, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5963, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=58, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=268, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=946, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=164, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=207, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 01:11:33.362, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655169060_52766', total_run_time=5.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655169064, api_et=1655165460.000000000, api_lt=1655169060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165460.000000000, search_lt=1655169066.424002000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_352b4a28c99d81a3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=45, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:09:32.798, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655168940_52735', total_run_time=21.26, event_count=0, result_count=0, available_count=0, scan_count=4626798, drop_count=0, exec_time=1655168945, api_et=1655164740.000000000, api_lt=1655168340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655164740.000000000, search_lt=1655168340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3103", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aba64986efc1347f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=368, considered_events=4626798, total_slices=1150754, decompressed_slices=218724, duration.command.search.index=1790, invocations.command.search.index.bucketcache.hit=791, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34273, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:08:32.761, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655168820_52717', total_run_time=17.17, event_count=1995, result_count=111, available_count=0, scan_count=501100, drop_count=0, exec_time=1655168880, api_et=1655165220.000000000, api_lt=1655168820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165220.000000000, search_lt=1655168882.301592000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=197, considered_events=505025, total_slices=543629, decompressed_slices=122309, duration.command.search.index=3619, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34462, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=411842, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40824, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 01:07:32.844, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655168820_52712', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655168846, api_et=1655165220.000000000, api_lt=1655168820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655165220.000000000, search_lt=1655168848.819778000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2897", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a8527e3314309b3b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=792, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 01:02:12.816, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168340_52521', total_run_time=21.50, event_count=0, result_count=0, available_count=0, scan_count=26225861, drop_count=0, exec_time=1655168390, api_et=1655153940.000000000, api_lt=1655168340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153940.000000000, search_lt=1655168340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3137", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26225861, total_slices=1327255, decompressed_slices=449400, duration.command.search.index=9514, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89141, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12618484, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:59:22.119, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168280_52508', total_run_time=19.06, event_count=0, result_count=0, available_count=0, scan_count=26243987, drop_count=0, exec_time=1655168329, api_et=1655153880.000000000, api_lt=1655168280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153880.000000000, search_lt=1655168280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3249", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26243987, total_slices=1325105, decompressed_slices=449549, duration.command.search.index=9668, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72600, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12624199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:59:21.334, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168220_52492', total_run_time=21.79, event_count=0, result_count=0, available_count=0, scan_count=26258894, drop_count=0, exec_time=1655168270, api_et=1655153820.000000000, api_lt=1655168220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153820.000000000, search_lt=1655168220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3042", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26258894, total_slices=1323262, decompressed_slices=449722, duration.command.search.index=9717, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75424, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12629279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:59:21.085, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168100_52462', total_run_time=17.34, event_count=0, result_count=0, available_count=0, scan_count=26296431, drop_count=0, exec_time=1655168149, api_et=1655153700.000000000, api_lt=1655168100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153700.000000000, search_lt=1655168100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26296431, total_slices=1319586, decompressed_slices=450209, duration.command.search.index=9878, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71671, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12642145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:59:20.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168160_52473', total_run_time=14.71, event_count=0, result_count=0, available_count=0, scan_count=26276765, drop_count=0, exec_time=1655168210, api_et=1655153760.000000000, api_lt=1655168160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153760.000000000, search_lt=1655168160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26276765, total_slices=1321411, decompressed_slices=450071, duration.command.search.index=9355, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71290, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12635400, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:55:08.040, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655168040_52444', total_run_time=16.48, event_count=0, result_count=0, available_count=0, scan_count=26312604, drop_count=0, exec_time=1655168089, api_et=1655153640.000000000, api_lt=1655168040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153640.000000000, search_lt=1655168040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26312604, total_slices=1317561, decompressed_slices=450434, duration.command.search.index=10585, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69313, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12647245, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:54:56.428, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167980_52427', total_run_time=15.71, event_count=0, result_count=0, available_count=0, scan_count=26329523, drop_count=0, exec_time=1655168029, api_et=1655153580.000000000, api_lt=1655167980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153580.000000000, search_lt=1655167980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3174", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26329523, total_slices=1315585, decompressed_slices=450485, duration.command.search.index=9744, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69854, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12652759, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:54:54.229, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167920_52402', total_run_time=17.48, event_count=0, result_count=0, available_count=0, scan_count=26346208, drop_count=0, exec_time=1655167969, api_et=1655153520.000000000, api_lt=1655167920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153520.000000000, search_lt=1655167920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26346208, total_slices=1313591, decompressed_slices=450631, duration.command.search.index=10164, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77136, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12658143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:54:53.847, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167860_52385', total_run_time=18.07, event_count=0, result_count=0, available_count=0, scan_count=26367889, drop_count=0, exec_time=1655167909, api_et=1655153460.000000000, api_lt=1655167860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153460.000000000, search_lt=1655167860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2181", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26367889, total_slices=1311316, decompressed_slices=450839, duration.command.search.index=11021, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78356, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12665952, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:51:09.062, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167800_52361', total_run_time=18.89, event_count=0, result_count=0, available_count=0, scan_count=26386103, drop_count=0, exec_time=1655167849, api_et=1655153400.000000000, api_lt=1655167800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153400.000000000, search_lt=1655167800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26386103, total_slices=1309779, decompressed_slices=451076, duration.command.search.index=10203, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79783, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12671968, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:50:50.305, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167620_52298', total_run_time=17.64, event_count=0, result_count=0, available_count=0, scan_count=26432029, drop_count=0, exec_time=1655167670, api_et=1655153220.000000000, api_lt=1655167620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153220.000000000, search_lt=1655167620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26432029, total_slices=1303941, decompressed_slices=451476, duration.command.search.index=9836, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71658, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12688556, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:50:48.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167560_52275', total_run_time=17.70, event_count=0, result_count=0, available_count=0, scan_count=26451660, drop_count=0, exec_time=1655167609, api_et=1655153160.000000000, api_lt=1655167560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153160.000000000, search_lt=1655167560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26451660, total_slices=1301989, decompressed_slices=451769, duration.command.search.index=10170, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72888, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12697058, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:50:47.971, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167680_52314', total_run_time=17.57, event_count=0, result_count=0, available_count=0, scan_count=26418390, drop_count=0, exec_time=1655167729, api_et=1655153280.000000000, api_lt=1655167680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153280.000000000, search_lt=1655167680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26418390, total_slices=1305750, decompressed_slices=451249, duration.command.search.index=10933, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77670, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12683901, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:50:47.691, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167500_52256', total_run_time=16.14, event_count=0, result_count=0, available_count=0, scan_count=26470484, drop_count=0, exec_time=1655167549, api_et=1655153100.000000000, api_lt=1655167500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153100.000000000, search_lt=1655167500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26470484, total_slices=1300150, decompressed_slices=452005, duration.command.search.index=9730, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74953, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12705834, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:50:47.142, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167740_52338', total_run_time=20.32, event_count=0, result_count=0, available_count=0, scan_count=26402722, drop_count=0, exec_time=1655167790, api_et=1655153340.000000000, api_lt=1655167740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153340.000000000, search_lt=1655167740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26402722, total_slices=1307884, decompressed_slices=451215, duration.command.search.index=9777, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88648, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12678276, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:45:11.646, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167440_52233', total_run_time=16.30, event_count=0, result_count=0, available_count=0, scan_count=26485842, drop_count=0, exec_time=1655167489, api_et=1655153040.000000000, api_lt=1655167440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153040.000000000, search_lt=1655167440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26485842, total_slices=1298085, decompressed_slices=452097, duration.command.search.index=9686, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73335, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12712633, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:56.709, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167260_52161', total_run_time=17.04, event_count=0, result_count=0, available_count=0, scan_count=26537543, drop_count=0, exec_time=1655167309, api_et=1655152860.000000000, api_lt=1655167260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152860.000000000, search_lt=1655167260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26537543, total_slices=1292185, decompressed_slices=452484, duration.command.search.index=10260, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73509, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12737548, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:56.046, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167140_52114', total_run_time=19.52, event_count=0, result_count=0, available_count=0, scan_count=26580650, drop_count=0, exec_time=1655167189, api_et=1655152740.000000000, api_lt=1655167140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152740.000000000, search_lt=1655167140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2552", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26580650, total_slices=1313944, decompressed_slices=452815, duration.command.search.index=9899, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86140, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12755272, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:53.711, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167320_52184', total_run_time=16.68, event_count=0, result_count=0, available_count=0, scan_count=26521329, drop_count=0, exec_time=1655167369, api_et=1655152920.000000000, api_lt=1655167320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152920.000000000, search_lt=1655167320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26521329, total_slices=1294092, decompressed_slices=452372, duration.command.search.index=9923, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72912, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12729817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:53.230, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167200_52135', total_run_time=18.28, event_count=0, result_count=0, available_count=0, scan_count=26557095, drop_count=0, exec_time=1655167249, api_et=1655152800.000000000, api_lt=1655167200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152800.000000000, search_lt=1655167200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26557095, total_slices=1290258, decompressed_slices=452630, duration.command.search.index=11495, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78185, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12747010, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:52.875, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167380_52212', total_run_time=16.09, event_count=0, result_count=0, available_count=0, scan_count=26504272, drop_count=0, exec_time=1655167429, api_et=1655152980.000000000, api_lt=1655167380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152980.000000000, search_lt=1655167380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3156", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=26504272, total_slices=1296132, decompressed_slices=452180, duration.command.search.index=10147, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69736, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12721346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:44:52.835, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655167380_52209', total_run_time=21.62, event_count=0, result_count=0, available_count=0, scan_count=3097, drop_count=0, exec_time=1655167418, api_et=1655163780.000000000, api_lt=1655167380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655163780.000000000, search_lt=1655167420.498682000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cb2351a56e26f3f2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=3097, total_slices=981536, decompressed_slices=1214, duration.command.search.index=1103, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5046, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:39:16.678, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166960_52068', total_run_time=15.87, event_count=0, result_count=0, available_count=0, scan_count=26634762, drop_count=0, exec_time=1655167010, api_et=1655152560.000000000, api_lt=1655166960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152560.000000000, search_lt=1655166960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26634762, total_slices=1308176, decompressed_slices=453427, duration.command.search.index=10180, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70178, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12776908, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:16.670, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167080_52098', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=26599528, drop_count=0, exec_time=1655167129, api_et=1655152680.000000000, api_lt=1655167080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152680.000000000, search_lt=1655167080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26599528, total_slices=1312104, decompressed_slices=452945, duration.command.search.index=10000, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72306, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12763109, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:15.970, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655166780_51988', total_run_time=64.94, event_count=0, result_count=0, available_count=0, scan_count=40885050, drop_count=0, exec_time=1655166805, api_et=1655163180.000000000, api_lt=1655166780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655163180.000000000, search_lt=1655166807.991925000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4108", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3029713ea361a974", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1864, eliminated_buckets=126, considered_events=40885050, total_slices=14515545, decompressed_slices=4263644, duration.command.search.index=18935, invocations.command.search.index.bucketcache.hit=1862, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=275401, invocations.command.search.rawdata.bucketcache.hit=295, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:39:14.674, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166840_52036', total_run_time=19.14, event_count=0, result_count=0, available_count=0, scan_count=26676062, drop_count=0, exec_time=1655166889, api_et=1655152440.000000000, api_lt=1655166840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152440.000000000, search_lt=1655166840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26676062, total_slices=1304434, decompressed_slices=453888, duration.command.search.index=10331, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78214, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12792011, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:14.516, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166720_51965', total_run_time=22.04, event_count=0, result_count=0, available_count=0, scan_count=26705359, drop_count=0, exec_time=1655166769, api_et=1655152320.000000000, api_lt=1655166720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152320.000000000, search_lt=1655166720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26705359, total_slices=1300460, decompressed_slices=454008, duration.command.search.index=11669, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91366, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12804738, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:13.681, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166780_52002', total_run_time=19.37, event_count=0, result_count=0, available_count=0, scan_count=26690905, drop_count=0, exec_time=1655166829, api_et=1655152380.000000000, api_lt=1655166780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152380.000000000, search_lt=1655166780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26690905, total_slices=1302473, decompressed_slices=453985, duration.command.search.index=10945, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80767, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12798056, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:12.449, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166900_52058', total_run_time=15.22, event_count=0, result_count=0, available_count=0, scan_count=26654516, drop_count=0, exec_time=1655166950, api_et=1655152500.000000000, api_lt=1655166900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152500.000000000, search_lt=1655166900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26654516, total_slices=1306276, decompressed_slices=453638, duration.command.search.index=10393, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70887, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12784438, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:39:12.071, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655167020_52083', total_run_time=16.08, event_count=0, result_count=0, available_count=0, scan_count=26614652, drop_count=0, exec_time=1655167070, api_et=1655152620.000000000, api_lt=1655167020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152620.000000000, search_lt=1655167020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26614652, total_slices=1310102, decompressed_slices=453112, duration.command.search.index=10047, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72975, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12767898, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:32:12.944, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166660_51934', total_run_time=21.73, event_count=0, result_count=0, available_count=0, scan_count=26720210, drop_count=0, exec_time=1655166709, api_et=1655152260.000000000, api_lt=1655166660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152260.000000000, search_lt=1655166660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3172", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26720210, total_slices=1298570, decompressed_slices=454228, duration.command.search.index=12009, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92462, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12810250, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:31:21.264, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166540_51878', total_run_time=20.69, event_count=0, result_count=0, available_count=0, scan_count=26764843, drop_count=0, exec_time=1655166590, api_et=1655152140.000000000, api_lt=1655166540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152140.000000000, search_lt=1655166540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2594", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26764843, total_slices=1294602, decompressed_slices=454909, duration.command.search.index=10143, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90143, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12827560, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:31:20.874, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166480_51864', total_run_time=14.82, event_count=0, result_count=0, available_count=0, scan_count=26780629, drop_count=0, exec_time=1655166529, api_et=1655152080.000000000, api_lt=1655166480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152080.000000000, search_lt=1655166480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26780629, total_slices=1292680, decompressed_slices=455165, duration.command.search.index=9642, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76763, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12833146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:31:20.667, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166360_51830', total_run_time=16.64, event_count=0, result_count=0, available_count=0, scan_count=26810953, drop_count=0, exec_time=1655166409, api_et=1655151960.000000000, api_lt=1655166360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151960.000000000, search_lt=1655166360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26810953, total_slices=1315165, decompressed_slices=455616, duration.command.search.index=9895, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74034, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12841138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:31:20.664, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166420_51849', total_run_time=17.28, event_count=0, result_count=0, available_count=0, scan_count=26798223, drop_count=0, exec_time=1655166469, api_et=1655152020.000000000, api_lt=1655166420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152020.000000000, search_lt=1655166420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2581", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26798223, total_slices=1317083, decompressed_slices=455308, duration.command.search.index=10015, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75957, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12837736, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:31:19.095, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166600_51907', total_run_time=24.68, event_count=0, result_count=0, available_count=0, scan_count=26740269, drop_count=0, exec_time=1655166649, api_et=1655152200.000000000, api_lt=1655166600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152200.000000000, search_lt=1655166600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26740269, total_slices=1296622, decompressed_slices=454561, duration.command.search.index=13918, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111900, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12819724, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:26:11.848, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166240_51800', total_run_time=16.73, event_count=0, result_count=0, available_count=0, scan_count=26845273, drop_count=0, exec_time=1655166289, api_et=1655151840.000000000, api_lt=1655166240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151840.000000000, search_lt=1655166240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2594", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26845273, total_slices=1311556, decompressed_slices=456088, duration.command.search.index=9966, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72079, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12851289, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:26:11.699, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166180_51781', total_run_time=28.02, event_count=0, result_count=0, available_count=0, scan_count=26863586, drop_count=0, exec_time=1655166229, api_et=1655151780.000000000, api_lt=1655166180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151780.000000000, search_lt=1655166180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26863586, total_slices=1309628, decompressed_slices=456231, duration.command.search.index=10987, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76615, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12856895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:26:11.380, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166300_51814', total_run_time=15.25, event_count=0, result_count=0, available_count=0, scan_count=26830200, drop_count=0, exec_time=1655166349, api_et=1655151900.000000000, api_lt=1655166300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151900.000000000, search_lt=1655166300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26830200, total_slices=1313384, decompressed_slices=455901, duration.command.search.index=9775, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72167, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12847177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:26:11.222, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166060_51733', total_run_time=63.10, event_count=0, result_count=0, available_count=0, scan_count=26892183, drop_count=0, exec_time=1655166109, api_et=1655151660.000000000, api_lt=1655166060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151660.000000000, search_lt=1655166060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26892183, total_slices=1305890, decompressed_slices=456743, duration.command.search.index=11210, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90681, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12865780, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:22:00.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655166000_51707', total_run_time=36.37, event_count=12869631, result_count=15, available_count=0, scan_count=26905712, drop_count=0, exec_time=1655166057, api_et=1655151600.000000000, api_lt=1655166000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151600.000000000, search_lt=1655166000.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2409", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26905712, total_slices=1304266, decompressed_slices=456916, duration.command.search.index=13221, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99821, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12869631, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:21:59.907, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655166000_51704', total_run_time=40.80, event_count=0, result_count=0, available_count=0, scan_count=26905716, drop_count=0, exec_time=1655166049, api_et=1655151600.000000000, api_lt=1655166000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151600.000000000, search_lt=1655166000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26905716, total_slices=1304076, decompressed_slices=456917, duration.command.search.index=13203, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108104, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12869631, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:20:58.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165880_51653', total_run_time=37.77, event_count=0, result_count=0, available_count=0, scan_count=26938565, drop_count=0, exec_time=1655165929, api_et=1655151480.000000000, api_lt=1655165880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151480.000000000, search_lt=1655165880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26938565, total_slices=1300134, decompressed_slices=457437, duration.command.search.index=11206, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88669, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12878929, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:20:57.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165940_51679', total_run_time=45.96, event_count=0, result_count=0, available_count=0, scan_count=26920117, drop_count=0, exec_time=1655165990, api_et=1655151540.000000000, api_lt=1655165940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151540.000000000, search_lt=1655165940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26920117, total_slices=1302097, decompressed_slices=457170, duration.command.search.index=12739, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109645, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12873496, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:20:57.741, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165760_51608', total_run_time=43.88, event_count=0, result_count=0, available_count=0, scan_count=26961823, drop_count=0, exec_time=1655165809, api_et=1655151360.000000000, api_lt=1655165760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151360.000000000, search_lt=1655165760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26961823, total_slices=1296377, decompressed_slices=457871, duration.command.search.index=10134, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77715, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12887544, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:20:57.354, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165820_51632', total_run_time=30.64, event_count=0, result_count=0, available_count=0, scan_count=26951684, drop_count=0, exec_time=1655165869, api_et=1655151420.000000000, api_lt=1655165820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151420.000000000, search_lt=1655165820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=26951684, total_slices=1298303, decompressed_slices=457622, duration.command.search.index=10590, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81607, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12882794, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:16:55.720, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655165760_51602', total_run_time=16.72, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655165771, api_et=1655161560.000000000, api_lt=1655165160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655162160.000000000, search_lt=1655165773.648120000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4003", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6f08697a14c3a418", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1000, eliminated_buckets=320, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2085, invocations.command.search.index.bucketcache.hit=1000, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:16:25.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165700_51591', total_run_time=35.99, event_count=0, result_count=0, available_count=0, scan_count=26974218, drop_count=0, exec_time=1655165749, api_et=1655151300.000000000, api_lt=1655165700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151300.000000000, search_lt=1655165700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26974218, total_slices=1294465, decompressed_slices=458073, duration.command.search.index=10463, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77991, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12892575, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:15:55.642, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165640_51572', total_run_time=42.30, event_count=0, result_count=0, available_count=0, scan_count=26989766, drop_count=0, exec_time=1655165690, api_et=1655151240.000000000, api_lt=1655165640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151240.000000000, search_lt=1655165640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=26989766, total_slices=1292636, decompressed_slices=458322, duration.command.search.index=10226, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78684, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12898965, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:14:45.393, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655165640_51559', total_run_time=5.23, event_count=0, result_count=0, available_count=0, scan_count=19518, drop_count=0, exec_time=1655165663, api_et=1655162040.000000000, api_lt=1655165640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655162040.000000000, search_lt=1655165665.658157000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=402, eliminated_buckets=278, considered_events=19721, total_slices=724624, decompressed_slices=4189, duration.command.search.index=1267, invocations.command.search.index.bucketcache.hit=402, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6502, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=48, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=323, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=891, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=212, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=241, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-14-2022 00:14:24.440, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165580_51549', total_run_time=19.80, event_count=0, result_count=0, available_count=0, scan_count=27003693, drop_count=0, exec_time=1655165629, api_et=1655151180.000000000, api_lt=1655165580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151180.000000000, search_lt=1655165580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27003693, total_slices=1290710, decompressed_slices=458615, duration.command.search.index=9953, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70678, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12904103, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:14:24.163, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165520_51521', total_run_time=35.75, event_count=0, result_count=0, available_count=0, scan_count=27021103, drop_count=0, exec_time=1655165569, api_et=1655151120.000000000, api_lt=1655165520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151120.000000000, search_lt=1655165520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3279", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27021103, total_slices=1288858, decompressed_slices=458779, duration.command.search.index=10242, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79679, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12910865, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:14:24.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165460_51502', total_run_time=42.80, event_count=0, result_count=0, available_count=0, scan_count=27034534, drop_count=0, exec_time=1655165509, api_et=1655151060.000000000, api_lt=1655165460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151060.000000000, search_lt=1655165460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27034534, total_slices=1287060, decompressed_slices=458994, duration.command.search.index=10285, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78981, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12914460, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:11:51.000, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165400_51478', total_run_time=32.27, event_count=0, result_count=0, available_count=0, scan_count=27047148, drop_count=0, exec_time=1655165449, api_et=1655151000.000000000, api_lt=1655165400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151000.000000000, search_lt=1655165400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2844", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27047148, total_slices=1285269, decompressed_slices=459314, duration.command.search.index=10924, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86584, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12918851, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:11:20.879, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655165460_51485', total_run_time=5.06, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655165464, api_et=1655161860.000000000, api_lt=1655165460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655161860.000000000, search_lt=1655165466.401787000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3008", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4ac21e3aadc2f72e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:10:50.905, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165340_51454', total_run_time=43.96, event_count=0, result_count=0, available_count=0, scan_count=27058128, drop_count=0, exec_time=1655165390, api_et=1655150940.000000000, api_lt=1655165340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150940.000000000, search_lt=1655165340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27058128, total_slices=1283310, decompressed_slices=459496, duration.command.search.index=11274, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106197, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12922763, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:09:47.464, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165160_51401', total_run_time=58.55, event_count=0, result_count=0, available_count=0, scan_count=27101664, drop_count=0, exec_time=1655165210, api_et=1655150760.000000000, api_lt=1655165160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150760.000000000, search_lt=1655165160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3107", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27101664, total_slices=1277369, decompressed_slices=459914, duration.command.search.index=12588, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116482, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12941675, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:09:47.263, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1655164800_51370', total_run_time=274.69, event_count=2696, result_count=2695, available_count=0, scan_count=1757355, drop_count=0, exec_time=1655165088, api_et=1655078400.000000000, api_lt=1655164800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1655164800.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_6407840c7297a814", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30404, eliminated_buckets=4811, considered_events=1757355, total_slices=14051606, decompressed_slices=1089820, duration.command.search.index=1251647, invocations.command.search.index.bucketcache.hit=27658, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=2790, duration.command.search.index.bucketcache.miss=538324, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=301761, invocations.command.search.rawdata.bucketcache.hit=20646, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1027, duration.command.search.rawdata.bucketcache.miss=368263, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-14-2022 00:09:47.216, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655165340_51446', total_run_time=24.68, event_count=1, result_count=1, available_count=0, scan_count=4580031, drop_count=0, exec_time=1655165345, api_et=1655161140.000000000, api_lt=1655164740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655161140.000000000, search_lt=1655164740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3079", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f27cde4caacbdd31", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=377, considered_events=4580031, total_slices=1092341, decompressed_slices=209873, duration.command.search.index=2063, invocations.command.search.index.bucketcache.hit=793, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37014, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:09:47.063, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655165220_51429', total_run_time=22.86, event_count=1184, result_count=69, available_count=0, scan_count=443341, drop_count=0, exec_time=1655165284, api_et=1655161620.000000000, api_lt=1655165220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655161620.000000000, search_lt=1655165286.196196000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2956", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=195, considered_events=448300, total_slices=494749, decompressed_slices=113278, duration.command.search.index=5726, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=45649, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=8, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=362198, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33654, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-14-2022 00:09:46.845, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165280_51438', total_run_time=39.54, event_count=0, result_count=0, available_count=0, scan_count=27070931, drop_count=0, exec_time=1655165329, api_et=1655150880.000000000, api_lt=1655165280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150880.000000000, search_lt=1655165280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27070931, total_slices=1281329, decompressed_slices=459519, duration.command.search.index=11699, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98846, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12927308, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:09:46.656, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655165220_51417', total_run_time=9.68, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655165246, api_et=1655161620.000000000, api_lt=1655165220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655161620.000000000, search_lt=1655165248.723111000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5a2ff864c9186e16", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=195, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2427, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-14-2022 00:06:51.363, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655165100_51387', total_run_time=46.48, event_count=0, result_count=0, available_count=0, scan_count=27115778, drop_count=0, exec_time=1655165150, api_et=1655150700.000000000, api_lt=1655165100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150700.000000000, search_lt=1655165100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3186", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=27115778, total_slices=1275523, decompressed_slices=460261, duration.command.search.index=15669, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=137894, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12948992, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:05:21.325, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655164980_51325', total_run_time=81.18, event_count=0, result_count=0, available_count=0, scan_count=27139561, drop_count=0, exec_time=1655165029, api_et=1655150580.000000000, api_lt=1655164980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150580.000000000, search_lt=1655164980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2252", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=27139561, total_slices=1271499, decompressed_slices=460757, duration.command.search.index=20072, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=217054, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12964207, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:03:47.417, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655164860_51241', total_run_time=66.82, event_count=0, result_count=0, available_count=0, scan_count=27161296, drop_count=0, exec_time=1655164909, api_et=1655150460.000000000, api_lt=1655164860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150460.000000000, search_lt=1655164860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=27161296, total_slices=1267449, decompressed_slices=461144, duration.command.search.index=18542, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=183585, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12971801, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-14-2022 00:01:46.014, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1655164800_51205', total_run_time=62.99, event_count=0, result_count=102, available_count=0, scan_count=0, drop_count=0, exec_time=1655164832, api_et=1655163000.000000000, api_lt=1655164800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655163000.000000000, search_lt=1655164800.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63691", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-14-2022 00:01:45.659, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655164800_51209', total_run_time=53.30, event_count=0, result_count=0, available_count=0, scan_count=27183869, drop_count=0, exec_time=1655164849, api_et=1655150400.000000000, api_lt=1655164800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150400.000000000, search_lt=1655164800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2577", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=27183869, total_slices=1265146, decompressed_slices=461680, duration.command.search.index=19470, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=199474, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12989727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 23:44:12.430, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655163780_50919', total_run_time=22.00, event_count=0, result_count=0, available_count=0, scan_count=4105, drop_count=0, exec_time=1655163818, api_et=1655160180.000000000, api_lt=1655163780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655160180.000000000, search_lt=1655163820.616031000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2946", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fafd33f53a0d2cec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=4105, total_slices=1007047, decompressed_slices=1434, duration.command.search.index=1121, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4966, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 23:35:53.466, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655163180_50713', total_run_time=38.76, event_count=0, result_count=0, available_count=0, scan_count=40683188, drop_count=0, exec_time=1655163205, api_et=1655159580.000000000, api_lt=1655163180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655159580.000000000, search_lt=1655163207.656290000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_03bfaad35abad3ea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1879, eliminated_buckets=133, considered_events=40683188, total_slices=14455313, decompressed_slices=4234344, duration.command.search.index=14528, invocations.command.search.index.bucketcache.hit=1874, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236044, invocations.command.search.rawdata.bucketcache.hit=293, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 23:16:47.970, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655162160_50375', total_run_time=14.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655162170, api_et=1655157960.000000000, api_lt=1655161560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655158560.000000000, search_lt=1655162172.488999000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3247", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f59ba5292b219a34", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1008, eliminated_buckets=326, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1713, invocations.command.search.index.bucketcache.hit=1008, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 23:14:48.096, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655162040_50334', total_run_time=5.21, event_count=0, result_count=0, available_count=0, scan_count=15404, drop_count=0, exec_time=1655162063, api_et=1655158440.000000000, api_lt=1655162040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655158440.000000000, search_lt=1655162065.160677000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=281, considered_events=15644, total_slices=627979, decompressed_slices=4411, duration.command.search.index=1166, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5864, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=433, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1080, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=257, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=395, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 23:11:18.227, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655161860_50270', total_run_time=5.71, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655161870, api_et=1655158260.000000000, api_lt=1655161860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655158260.000000000, search_lt=1655161872.953850000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3431", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_be5c0538eed0bca9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 23:10:19.229, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655161620_50215', total_run_time=5.43, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655161646, api_et=1655158020.000000000, api_lt=1655161620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655158020.000000000, search_lt=1655161647.873865000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_76806df0826b93b8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=194, considered_events=1, total_slices=11888, decompressed_slices=0, duration.command.search.index=827, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=200, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 23:10:18.301, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655161620_50225', total_run_time=15.99, event_count=1182, result_count=63, available_count=0, scan_count=471258, drop_count=0, exec_time=1655161684, api_et=1655158020.000000000, api_lt=1655161620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655158020.000000000, search_lt=1655161686.167130000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=194, considered_events=478690, total_slices=576019, decompressed_slices=127635, duration.command.search.index=3886, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36690, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=382500, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36367, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 23:10:18.268, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655161740_50238', total_run_time=22.09, event_count=1, result_count=1, available_count=0, scan_count=4602996, drop_count=0, exec_time=1655161746, api_et=1655157540.000000000, api_lt=1655161140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655157540.000000000, search_lt=1655161140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5d98fb5cb2e6af6e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=370, considered_events=4602996, total_slices=1096417, decompressed_slices=217058, duration.command.search.index=2064, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31004, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:44:08.625, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655160180_49751', total_run_time=21.98, event_count=0, result_count=0, available_count=0, scan_count=4407, drop_count=0, exec_time=1655160218, api_et=1655156580.000000000, api_lt=1655160180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655156580.000000000, search_lt=1655160219.981538000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a85c46810e579262", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=4407, total_slices=991305, decompressed_slices=1807, duration.command.search.index=1042, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4898, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:37:39.102, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655159580_49543', total_run_time=86.23, event_count=0, result_count=0, available_count=0, scan_count=40391432, drop_count=0, exec_time=1655159605, api_et=1655155980.000000000, api_lt=1655159580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655155980.000000000, search_lt=1655159607.024445000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_12ac41616aa894c2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1856, eliminated_buckets=133, considered_events=40391432, total_slices=14314991, decompressed_slices=4202209, duration.command.search.index=15360, invocations.command.search.index.bucketcache.hit=1850, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=266668, invocations.command.search.rawdata.bucketcache.hit=259, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:17:02.381, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655158560_49195', total_run_time=28.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655158571, api_et=1655154360.000000000, api_lt=1655157960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655154960.000000000, search_lt=1655158573.318507000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3400", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_328e5086e0da7293", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1005, eliminated_buckets=322, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=984, invocations.command.search.index.bucketcache.hit=1004, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:14:31.684, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655158440_49155', total_run_time=4.43, event_count=0, result_count=0, available_count=0, scan_count=15433, drop_count=0, exec_time=1655158463, api_et=1655154840.000000000, api_lt=1655158440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655154840.000000000, search_lt=1655158465.381532000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=286, considered_events=15433, total_slices=512669, decompressed_slices=5090, duration.command.search.index=1170, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6224, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=53, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=540, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1241, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=290, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=803, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 22:11:31.600, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655158260_49089', total_run_time=4.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655158265, api_et=1655154660.000000000, api_lt=1655158260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655154660.000000000, search_lt=1655158266.955095000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6f25adee92a5dcae", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=39, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:10:02.995, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655158020_49038', total_run_time=16.89, event_count=1168, result_count=62, available_count=0, scan_count=496855, drop_count=0, exec_time=1655158080, api_et=1655154420.000000000, api_lt=1655158020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655154420.000000000, search_lt=1655158082.291001000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=195, considered_events=506600, total_slices=705393, decompressed_slices=138148, duration.command.search.index=4538, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39188, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=401438, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39328, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 22:10:01.534, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655158140_49058', total_run_time=22.00, event_count=1, result_count=1, available_count=0, scan_count=4855829, drop_count=0, exec_time=1655158145, api_et=1655153940.000000000, api_lt=1655157540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655153940.000000000, search_lt=1655157540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3014", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_590905a4026e02ba", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=795, eliminated_buckets=368, considered_events=4855829, total_slices=1173656, decompressed_slices=220375, duration.command.search.index=1973, invocations.command.search.index.bucketcache.hit=792, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35328, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 22:10:00.802, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655158020_49033', total_run_time=6.16, event_count=0, result_count=0, available_count=0, scan_count=16, drop_count=0, exec_time=1655158046, api_et=1655154420.000000000, api_lt=1655158020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655154420.000000000, search_lt=1655158048.483453000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5fc2fddb6847939f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=195, considered_events=16, total_slices=96826, decompressed_slices=15, duration.command.search.index=998, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=2056, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:44:20.223, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655156580_48570', total_run_time=20.64, event_count=0, result_count=0, available_count=0, scan_count=4482, drop_count=0, exec_time=1655156618, api_et=1655152980.000000000, api_lt=1655156580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152980.000000000, search_lt=1655156620.388392000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d2dd2c7de4045be1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=4482, total_slices=853781, decompressed_slices=1478, duration.command.search.index=1041, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4925, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:38:17.567, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655155980_48360', total_run_time=77.33, event_count=0, result_count=0, available_count=0, scan_count=40471177, drop_count=0, exec_time=1655156005, api_et=1655152380.000000000, api_lt=1655155980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655152380.000000000, search_lt=1655156007.275098000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3947", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b71e5c734f9b2e59", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1864, eliminated_buckets=134, considered_events=40471177, total_slices=14201214, decompressed_slices=4155234, duration.command.search.index=16078, invocations.command.search.index.bucketcache.hit=1862, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=301552, invocations.command.search.rawdata.bucketcache.hit=284, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:16:58.990, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655154960_47989', total_run_time=22.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655154971, api_et=1655150760.000000000, api_lt=1655154360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151360.000000000, search_lt=1655154973.307472000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3244", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a7c1cd4f7cbc9075", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1006, eliminated_buckets=324, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1064, invocations.command.search.index.bucketcache.hit=1006, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:14:28.958, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655154840_47949', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=17229, drop_count=0, exec_time=1655154863, api_et=1655151240.000000000, api_lt=1655154840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151240.000000000, search_lt=1655154865.537625000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2826", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=279, considered_events=17684, total_slices=447148, decompressed_slices=5275, duration.command.search.index=1218, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6128, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=97, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=550, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1354, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=317, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=820, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=11, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 21:11:29.028, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655154660_47883', total_run_time=5.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655154664, api_et=1655151060.000000000, api_lt=1655154660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655151060.000000000, search_lt=1655154667.448147000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3554", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_734e0b9d78452013", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:09:28.917, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655154540_47848', total_run_time=20.03, event_count=0, result_count=0, available_count=0, scan_count=5647309, drop_count=0, exec_time=1655154546, api_et=1655150340.000000000, api_lt=1655153940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150340.000000000, search_lt=1655153940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3229", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3f0577b3415cc240", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=799, eliminated_buckets=368, considered_events=5647309, total_slices=1246512, decompressed_slices=259633, duration.command.search.index=2140, invocations.command.search.index.bucketcache.hit=799, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39969, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=118, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:08:57.638, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655154420_47824', total_run_time=6.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655154446, api_et=1655150820.000000000, api_lt=1655154420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150820.000000000, search_lt=1655154448.550097000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6085348723b3e9a5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=402, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=843, invocations.command.search.index.bucketcache.hit=402, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 21:08:57.335, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655154420_47829', total_run_time=22.97, event_count=1084, result_count=59, available_count=0, scan_count=512167, drop_count=0, exec_time=1655154480, api_et=1655150820.000000000, api_lt=1655154420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655150820.000000000, search_lt=1655154482.116346000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=197, considered_events=520129, total_slices=663168, decompressed_slices=122043, duration.command.search.index=3423, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33264, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=406271, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40919, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 21:00:18.082, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153760_47587', total_run_time=15.51, event_count=0, result_count=0, available_count=0, scan_count=28530731, drop_count=0, exec_time=1655153809, api_et=1655139360.000000000, api_lt=1655153760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139360.000000000, search_lt=1655153760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2560", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28530731, total_slices=1355390, decompressed_slices=473918, duration.command.search.index=10150, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75149, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13391582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 21:00:17.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153820_47604', total_run_time=15.49, event_count=0, result_count=0, available_count=0, scan_count=28534489, drop_count=0, exec_time=1655153870, api_et=1655139420.000000000, api_lt=1655153820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139420.000000000, search_lt=1655153820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28534489, total_slices=1357300, decompressed_slices=474023, duration.command.search.index=9883, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72872, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13394815, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 21:00:17.227, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153940_47633', total_run_time=19.46, event_count=0, result_count=0, available_count=0, scan_count=28525156, drop_count=0, exec_time=1655153990, api_et=1655139540.000000000, api_lt=1655153940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139540.000000000, search_lt=1655153940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28525156, total_slices=1335565, decompressed_slices=474147, duration.command.search.index=9921, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79432, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13396298, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 21:00:17.133, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153880_47620', total_run_time=14.97, event_count=0, result_count=0, available_count=0, scan_count=28529225, drop_count=0, exec_time=1655153929, api_et=1655139480.000000000, api_lt=1655153880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139480.000000000, search_lt=1655153880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2555", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28529225, total_slices=1333302, decompressed_slices=474038, duration.command.search.index=10000, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71899, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13395004, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:56:28.266, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153700_47576', total_run_time=15.21, event_count=0, result_count=0, available_count=0, scan_count=28529964, drop_count=0, exec_time=1655153749, api_et=1655139300.000000000, api_lt=1655153700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139300.000000000, search_lt=1655153700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28529964, total_slices=1353190, decompressed_slices=473870, duration.command.search.index=10153, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72111, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13389129, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:55:28.235, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153640_47561', total_run_time=16.62, event_count=0, result_count=0, available_count=0, scan_count=28529218, drop_count=0, exec_time=1655153690, api_et=1655139240.000000000, api_lt=1655153640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139240.000000000, search_lt=1655153640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3129", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28529218, total_slices=1351135, decompressed_slices=473853, duration.command.search.index=10410, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69152, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13387270, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:54:28.082, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153580_47544', total_run_time=19.46, event_count=0, result_count=0, available_count=0, scan_count=28527849, drop_count=0, exec_time=1655153629, api_et=1655139180.000000000, api_lt=1655153580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139180.000000000, search_lt=1655153580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3110", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28527849, total_slices=1348843, decompressed_slices=473831, duration.command.search.index=10213, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71809, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13386040, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:53:23.049, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153520_47521', total_run_time=19.21, event_count=0, result_count=0, available_count=0, scan_count=28530911, drop_count=0, exec_time=1655153569, api_et=1655139120.000000000, api_lt=1655153520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139120.000000000, search_lt=1655153520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28530911, total_slices=1346720, decompressed_slices=473819, duration.command.search.index=11256, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77246, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13384969, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:53:07.576, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153460_47504', total_run_time=17.75, event_count=0, result_count=0, available_count=0, scan_count=28527468, drop_count=0, exec_time=1655153510, api_et=1655139060.000000000, api_lt=1655153460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139060.000000000, search_lt=1655153460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28527468, total_slices=1344621, decompressed_slices=473746, duration.command.search.index=12091, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77505, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13381905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:51:28.441, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153400_47480', total_run_time=16.99, event_count=0, result_count=0, available_count=0, scan_count=28524561, drop_count=0, exec_time=1655153449, api_et=1655139000.000000000, api_lt=1655153400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139000.000000000, search_lt=1655153400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28524561, total_slices=1342502, decompressed_slices=473692, duration.command.search.index=10489, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73470, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13379457, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:50:28.588, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153340_47457', total_run_time=29.42, event_count=0, result_count=0, available_count=0, scan_count=28521346, drop_count=0, exec_time=1655153389, api_et=1655138940.000000000, api_lt=1655153340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138940.000000000, search_lt=1655153340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28521346, total_slices=1340389, decompressed_slices=473691, duration.command.search.index=11346, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93527, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13376005, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:49:28.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153280_47436', total_run_time=18.04, event_count=0, result_count=0, available_count=0, scan_count=28519996, drop_count=0, exec_time=1655153329, api_et=1655138880.000000000, api_lt=1655153280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138880.000000000, search_lt=1655153280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28519996, total_slices=1338274, decompressed_slices=473649, duration.command.search.index=10403, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76557, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13372056, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:48:23.325, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153160_47398', total_run_time=15.33, event_count=0, result_count=0, available_count=0, scan_count=28521552, drop_count=0, exec_time=1655153209, api_et=1655138760.000000000, api_lt=1655153160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138760.000000000, search_lt=1655153160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2655", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28521552, total_slices=1360055, decompressed_slices=473527, duration.command.search.index=10077, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71114, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13365282, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:48:23.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153220_47419', total_run_time=21.59, event_count=0, result_count=0, available_count=0, scan_count=28524014, drop_count=0, exec_time=1655153269, api_et=1655138820.000000000, api_lt=1655153220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138820.000000000, search_lt=1655153220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28524014, total_slices=1362208, decompressed_slices=473636, duration.command.search.index=11856, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79752, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13370242, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:46:28.212, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153100_47380', total_run_time=14.57, event_count=0, result_count=0, available_count=0, scan_count=28519413, drop_count=0, exec_time=1655153149, api_et=1655138700.000000000, api_lt=1655153100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138700.000000000, search_lt=1655153100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28519413, total_slices=1358012, decompressed_slices=473489, duration.command.search.index=9891, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71564, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13359289, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:45:28.297, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655153040_47358', total_run_time=15.10, event_count=0, result_count=0, available_count=0, scan_count=28518748, drop_count=0, exec_time=1655153089, api_et=1655138640.000000000, api_lt=1655153040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138640.000000000, search_lt=1655153040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28518748, total_slices=1355509, decompressed_slices=473450, duration.command.search.index=9870, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68583, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13355609, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:44:18.682, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152980_47337', total_run_time=14.81, event_count=0, result_count=0, available_count=0, scan_count=28516976, drop_count=0, exec_time=1655153029, api_et=1655138580.000000000, api_lt=1655152980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138580.000000000, search_lt=1655152980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3171", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28516976, total_slices=1353835, decompressed_slices=473379, duration.command.search.index=9958, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70384, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13350637, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:44:18.370, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655152980_47334', total_run_time=21.11, event_count=0, result_count=0, available_count=0, scan_count=3554, drop_count=0, exec_time=1655153018, api_et=1655149380.000000000, api_lt=1655152980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655149380.000000000, search_lt=1655153020.725069000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ad354f846d37a583", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=3554, total_slices=769506, decompressed_slices=1391, duration.command.search.index=1100, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4841, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:43:58.884, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152860_47287', total_run_time=15.35, event_count=0, result_count=0, available_count=0, scan_count=28520730, drop_count=0, exec_time=1655152909, api_et=1655138460.000000000, api_lt=1655152860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138460.000000000, search_lt=1655152860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28520730, total_slices=1349542, decompressed_slices=473397, duration.command.search.index=10150, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72289, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13346734, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:43:58.723, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152920_47310', total_run_time=15.37, event_count=0, result_count=0, available_count=0, scan_count=28518703, drop_count=0, exec_time=1655152969, api_et=1655138520.000000000, api_lt=1655152920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138520.000000000, search_lt=1655152920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28518703, total_slices=1351602, decompressed_slices=473324, duration.command.search.index=10250, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75329, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13349782, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:41:29.630, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152800_47262', total_run_time=19.80, event_count=0, result_count=0, available_count=0, scan_count=28518659, drop_count=0, exec_time=1655152849, api_et=1655138400.000000000, api_lt=1655152800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138400.000000000, search_lt=1655152800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2583", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28518659, total_slices=1374228, decompressed_slices=473384, duration.command.search.index=10543, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76520, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13342596, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:40:19.355, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152620_47209', total_run_time=16.40, event_count=0, result_count=0, available_count=0, scan_count=28512609, drop_count=0, exec_time=1655152669, api_et=1655138220.000000000, api_lt=1655152620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138220.000000000, search_lt=1655152620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28512609, total_slices=1367649, decompressed_slices=473111, duration.command.search.index=10442, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68589, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13335291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:40:19.334, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152680_47223', total_run_time=15.03, event_count=0, result_count=0, available_count=0, scan_count=28511055, drop_count=0, exec_time=1655152729, api_et=1655138280.000000000, api_lt=1655152680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138280.000000000, search_lt=1655152680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28511055, total_slices=1369970, decompressed_slices=473181, duration.command.search.index=10259, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68976, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13335391, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:40:18.693, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152740_47240', total_run_time=17.07, event_count=0, result_count=0, available_count=0, scan_count=28516008, drop_count=0, exec_time=1655152789, api_et=1655138340.000000000, api_lt=1655152740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138340.000000000, search_lt=1655152740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2609", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28516008, total_slices=1372101, decompressed_slices=473216, duration.command.search.index=10853, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74782, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13339458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:37:18.872, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152560_47194', total_run_time=15.55, event_count=0, result_count=0, available_count=0, scan_count=28506365, drop_count=0, exec_time=1655152610, api_et=1655138160.000000000, api_lt=1655152560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138160.000000000, search_lt=1655152560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28506365, total_slices=1392288, decompressed_slices=473102, duration.command.search.index=10129, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69496, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13332967, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:36:19.564, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152500_47184', total_run_time=14.97, event_count=0, result_count=0, available_count=0, scan_count=28506908, drop_count=0, exec_time=1655152549, api_et=1655138100.000000000, api_lt=1655152500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138100.000000000, search_lt=1655152500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28506908, total_slices=1390029, decompressed_slices=472984, duration.command.search.index=10169, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72369, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13331472, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:35:18.914, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152440_47163', total_run_time=23.18, event_count=0, result_count=0, available_count=0, scan_count=28501378, drop_count=0, exec_time=1655152490, api_et=1655138040.000000000, api_lt=1655152440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138040.000000000, search_lt=1655152440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28501378, total_slices=1387850, decompressed_slices=472904, duration.command.search.index=14797, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94914, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328598, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:34:19.009, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152380_47128', total_run_time=18.89, event_count=0, result_count=0, available_count=0, scan_count=28503432, drop_count=0, exec_time=1655152429, api_et=1655137980.000000000, api_lt=1655152380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137980.000000000, search_lt=1655152380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28503432, total_slices=1385688, decompressed_slices=472952, duration.command.search.index=12448, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80603, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328975, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:34:18.944, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655152380_47114', total_run_time=43.48, event_count=0, result_count=0, available_count=0, scan_count=40542324, drop_count=0, exec_time=1655152405, api_et=1655148780.000000000, api_lt=1655152380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655148780.000000000, search_lt=1655152407.046663000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3136", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9b7c1bb14634328d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1856, eliminated_buckets=135, considered_events=40542324, total_slices=14207099, decompressed_slices=4144178, duration.command.search.index=15021, invocations.command.search.index.bucketcache.hit=1855, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=242050, invocations.command.search.rawdata.bucketcache.hit=279, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:33:17.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152320_47091', total_run_time=18.50, event_count=0, result_count=0, available_count=0, scan_count=28504895, drop_count=0, exec_time=1655152369, api_et=1655137920.000000000, api_lt=1655152320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137920.000000000, search_lt=1655152320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28504895, total_slices=1383559, decompressed_slices=472883, duration.command.search.index=11500, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81941, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328416, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:32:19.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152260_47062', total_run_time=18.83, event_count=0, result_count=0, available_count=0, scan_count=28502592, drop_count=0, exec_time=1655152309, api_et=1655137860.000000000, api_lt=1655152260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137860.000000000, search_lt=1655152260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3112", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28502592, total_slices=1381450, decompressed_slices=472816, duration.command.search.index=11151, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82832, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328718, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:31:19.035, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152200_47033', total_run_time=23.09, event_count=0, result_count=0, available_count=0, scan_count=28500846, drop_count=0, exec_time=1655152249, api_et=1655137800.000000000, api_lt=1655152200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137800.000000000, search_lt=1655152200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3197", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=28500846, total_slices=1379116, decompressed_slices=472704, duration.command.search.index=12515, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88874, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13327174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:30:19.189, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152140_47005', total_run_time=20.54, event_count=0, result_count=0, available_count=0, scan_count=28497401, drop_count=0, exec_time=1655152190, api_et=1655137740.000000000, api_lt=1655152140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137740.000000000, search_lt=1655152140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=28497401, total_slices=1403068, decompressed_slices=472614, duration.command.search.index=10210, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85903, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13326821, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:29:20.027, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152080_46992', total_run_time=16.00, event_count=0, result_count=0, available_count=0, scan_count=28496662, drop_count=0, exec_time=1655152129, api_et=1655137680.000000000, api_lt=1655152080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137680.000000000, search_lt=1655152080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28496662, total_slices=1400749, decompressed_slices=472594, duration.command.search.index=9871, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71814, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13326181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:29:19.666, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655152020_46978', total_run_time=17.66, event_count=0, result_count=0, available_count=0, scan_count=28496345, drop_count=0, exec_time=1655152069, api_et=1655137620.000000000, api_lt=1655152020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137620.000000000, search_lt=1655152020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2255", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28496345, total_slices=1398515, decompressed_slices=472569, duration.command.search.index=10209, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76058, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13326695, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:27:23.617, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151960_46960', total_run_time=17.98, event_count=0, result_count=0, available_count=0, scan_count=28501972, drop_count=0, exec_time=1655152009, api_et=1655137560.000000000, api_lt=1655151960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137560.000000000, search_lt=1655151960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28501972, total_slices=1396500, decompressed_slices=472521, duration.command.search.index=10085, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75366, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13329687, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:26:23.414, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151900_46944', total_run_time=20.73, event_count=0, result_count=0, available_count=0, scan_count=28505719, drop_count=0, exec_time=1655151950, api_et=1655137500.000000000, api_lt=1655151900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137500.000000000, search_lt=1655151900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3453", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28505719, total_slices=1394482, decompressed_slices=472530, duration.command.search.index=10089, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75552, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:25:14.643, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151840_46931', total_run_time=21.35, event_count=0, result_count=0, available_count=0, scan_count=28509854, drop_count=0, exec_time=1655151889, api_et=1655137440.000000000, api_lt=1655151840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137440.000000000, search_lt=1655151840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28509854, total_slices=1392320, decompressed_slices=472475, duration.command.search.index=11438, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77282, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13329737, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:24:56.491, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151720_46880', total_run_time=35.86, event_count=0, result_count=0, available_count=0, scan_count=28514619, drop_count=0, exec_time=1655151769, api_et=1655137320.000000000, api_lt=1655151720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137320.000000000, search_lt=1655151720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28514619, total_slices=1388009, decompressed_slices=472580, duration.command.search.index=14128, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=136426, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13326052, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:24:55.594, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151780_46912', total_run_time=24.62, event_count=0, result_count=0, available_count=0, scan_count=28512417, drop_count=0, exec_time=1655151830, api_et=1655137380.000000000, api_lt=1655151780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137380.000000000, search_lt=1655151780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28512417, total_slices=1390168, decompressed_slices=472581, duration.command.search.index=11519, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79411, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13328237, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:22:23.052, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151660_46864', total_run_time=27.56, event_count=0, result_count=0, available_count=0, scan_count=28513741, drop_count=0, exec_time=1655151710, api_et=1655137260.000000000, api_lt=1655151660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137260.000000000, search_lt=1655151660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28513741, total_slices=1385953, decompressed_slices=472556, duration.command.search.index=12486, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90302, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13325930, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:21:22.048, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151600_46835', total_run_time=28.31, event_count=0, result_count=0, available_count=0, scan_count=28509445, drop_count=0, exec_time=1655151649, api_et=1655137200.000000000, api_lt=1655151600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137200.000000000, search_lt=1655151600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2554", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28509445, total_slices=1383856, decompressed_slices=472458, duration.command.search.index=12703, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91693, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13321860, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:20:48.257, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151420_46767', total_run_time=17.87, event_count=0, result_count=0, available_count=0, scan_count=28499164, drop_count=0, exec_time=1655151469, api_et=1655137020.000000000, api_lt=1655151420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137020.000000000, search_lt=1655151420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28499164, total_slices=1403637, decompressed_slices=472387, duration.command.search.index=10547, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76010, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13316002, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:20:47.691, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151480_46787', total_run_time=18.37, event_count=0, result_count=0, available_count=0, scan_count=28502924, drop_count=0, exec_time=1655151529, api_et=1655137080.000000000, api_lt=1655151480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137080.000000000, search_lt=1655151480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28502924, total_slices=1405865, decompressed_slices=472408, duration.command.search.index=12085, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83364, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13318855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:20:47.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151540_46813', total_run_time=18.87, event_count=0, result_count=0, available_count=0, scan_count=28503806, drop_count=0, exec_time=1655151589, api_et=1655137140.000000000, api_lt=1655151540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137140.000000000, search_lt=1655151540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28503806, total_slices=1381664, decompressed_slices=472477, duration.command.search.index=10467, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81250, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13319561, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:20:47.082, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151360_46744', total_run_time=17.91, event_count=0, result_count=0, available_count=0, scan_count=28494239, drop_count=0, exec_time=1655151409, api_et=1655136960.000000000, api_lt=1655151360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136960.000000000, search_lt=1655151360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28494239, total_slices=1401585, decompressed_slices=472188, duration.command.search.index=10027, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74711, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13315484, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:16:35.837, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655151360_46738', total_run_time=10.98, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655151370, api_et=1655147160.000000000, api_lt=1655150760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655147760.000000000, search_lt=1655151373.025931000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_91121bf47c7ec588", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1006, eliminated_buckets=324, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=929, invocations.command.search.index.bucketcache.hit=1006, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:16:06.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151300_46727', total_run_time=16.54, event_count=0, result_count=0, available_count=0, scan_count=28497776, drop_count=0, exec_time=1655151350, api_et=1655136900.000000000, api_lt=1655151300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136900.000000000, search_lt=1655151300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=28497776, total_slices=1425573, decompressed_slices=472096, duration.command.search.index=9870, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74997, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13316871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:15:35.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151240_46708', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=28488666, drop_count=0, exec_time=1655151289, api_et=1655136840.000000000, api_lt=1655151240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136840.000000000, search_lt=1655151240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=28488666, total_slices=1423380, decompressed_slices=471925, duration.command.search.index=10121, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76033, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13313361, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:14:35.326, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151060_46639', total_run_time=18.35, event_count=0, result_count=0, available_count=0, scan_count=28476830, drop_count=0, exec_time=1655151109, api_et=1655136660.000000000, api_lt=1655151060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136660.000000000, search_lt=1655151060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=28476830, total_slices=1417107, decompressed_slices=471678, duration.command.search.index=10620, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78683, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13304042, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:14:35.245, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151180_46684', total_run_time=14.58, event_count=0, result_count=0, available_count=0, scan_count=28486969, drop_count=0, exec_time=1655151229, api_et=1655136780.000000000, api_lt=1655151180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136780.000000000, search_lt=1655151180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2557", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=28486969, total_slices=1421156, decompressed_slices=471868, duration.command.search.index=9816, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72774, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13310511, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:14:35.189, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655151240_46694', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=24819, drop_count=0, exec_time=1655151263, api_et=1655147640.000000000, api_lt=1655151240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655147640.000000000, search_lt=1655151264.987746000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2839", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=279, considered_events=25700, total_slices=534835, decompressed_slices=6511, duration.command.search.index=1616, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6393, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=537, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1352, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=322, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=19, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=1619, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=28, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 20:14:34.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151120_46657', total_run_time=15.61, event_count=0, result_count=0, available_count=0, scan_count=28481729, drop_count=0, exec_time=1655151169, api_et=1655136720.000000000, api_lt=1655151120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136720.000000000, search_lt=1655151120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=28481729, total_slices=1419057, decompressed_slices=471756, duration.command.search.index=10083, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73439, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13306571, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:11:37.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655151000_46614', total_run_time=24.58, event_count=0, result_count=0, available_count=0, scan_count=28471720, drop_count=0, exec_time=1655151050, api_et=1655136600.000000000, api_lt=1655151000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136600.000000000, search_lt=1655151000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=28471720, total_slices=1441418, decompressed_slices=471514, duration.command.search.index=11503, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81480, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13300225, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:11:37.813, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655151060_46621', total_run_time=4.69, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655151064, api_et=1655147460.000000000, api_lt=1655151060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655147460.000000000, search_lt=1655151066.092666000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2350", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3d6b78dabcb52851", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=42, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:10:08.094, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150940_46595', total_run_time=17.52, event_count=0, result_count=0, available_count=0, scan_count=28464924, drop_count=0, exec_time=1655150989, api_et=1655136540.000000000, api_lt=1655150940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136540.000000000, search_lt=1655150940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=28464924, total_slices=1439216, decompressed_slices=471442, duration.command.search.index=10160, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77789, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13298482, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:09:38.020, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655150940_46587', total_run_time=22.76, event_count=0, result_count=0, available_count=0, scan_count=5666031, drop_count=0, exec_time=1655150945, api_et=1655146740.000000000, api_lt=1655150340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655146740.000000000, search_lt=1655150340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3217", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2da75f3cf785b460", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=804, eliminated_buckets=371, considered_events=5666031, total_slices=1281316, decompressed_slices=258326, duration.command.search.index=2267, invocations.command.search.index.bucketcache.hit=804, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40744, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:09:37.921, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150880_46579', total_run_time=18.81, event_count=0, result_count=0, available_count=0, scan_count=28458704, drop_count=0, exec_time=1655150929, api_et=1655136480.000000000, api_lt=1655150880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136480.000000000, search_lt=1655150880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=28458704, total_slices=1437060, decompressed_slices=471314, duration.command.search.index=11232, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79117, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13296033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:08:37.909, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655150820_46566', total_run_time=18.75, event_count=1191, result_count=56, available_count=0, scan_count=565888, drop_count=0, exec_time=1655150880, api_et=1655147220.000000000, api_lt=1655150820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655147220.000000000, search_lt=1655150882.299180000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2842", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=202, considered_events=571931, total_slices=641127, decompressed_slices=143254, duration.command.search.index=4627, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41971, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=448547, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=45875, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 20:08:37.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150820_46563', total_run_time=18.61, event_count=0, result_count=0, available_count=0, scan_count=28450940, drop_count=0, exec_time=1655150869, api_et=1655136420.000000000, api_lt=1655150820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136420.000000000, search_lt=1655150820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28450940, total_slices=1461576, decompressed_slices=471116, duration.command.search.index=10592, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77033, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13291697, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:07:39.437, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655150820_46558', total_run_time=6.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655150846, api_et=1655147220.000000000, api_lt=1655150820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655147220.000000000, search_lt=1655150848.529148000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_634c9325dafd553d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1044, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 20:07:39.275, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150760_46543', total_run_time=19.83, event_count=0, result_count=0, available_count=0, scan_count=28437808, drop_count=0, exec_time=1655150810, api_et=1655136360.000000000, api_lt=1655150760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136360.000000000, search_lt=1655150760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28437808, total_slices=1459403, decompressed_slices=470984, duration.command.search.index=11934, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81796, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13288642, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:06:37.554, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150700_46529', total_run_time=20.51, event_count=0, result_count=0, available_count=0, scan_count=28432305, drop_count=0, exec_time=1655150750, api_et=1655136300.000000000, api_lt=1655150700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136300.000000000, search_lt=1655150700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3129", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28432305, total_slices=1457336, decompressed_slices=470738, duration.command.search.index=12137, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87006, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13283539, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:05:37.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150640_46512', total_run_time=30.88, event_count=0, result_count=0, available_count=0, scan_count=28426339, drop_count=0, exec_time=1655150690, api_et=1655136240.000000000, api_lt=1655150640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136240.000000000, search_lt=1655150640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28426339, total_slices=1455080, decompressed_slices=470544, duration.command.search.index=13494, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130302, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13279720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:05:08.447, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150580_46472', total_run_time=49.52, event_count=0, result_count=0, available_count=0, scan_count=28420332, drop_count=0, exec_time=1655150629, api_et=1655136180.000000000, api_lt=1655150580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136180.000000000, search_lt=1655150580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28420332, total_slices=1452427, decompressed_slices=470306, duration.command.search.index=21855, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=212459, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13275613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:03:48.701, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150520_46426', total_run_time=48.16, event_count=0, result_count=0, available_count=0, scan_count=28413251, drop_count=0, exec_time=1655150570, api_et=1655136120.000000000, api_lt=1655150520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136120.000000000, search_lt=1655150520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2690", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28413251, total_slices=1450592, decompressed_slices=470140, duration.command.search.index=21030, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=221597, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13274439, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:03:31.009, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150460_46396', total_run_time=43.39, event_count=0, result_count=0, available_count=0, scan_count=28408514, drop_count=0, exec_time=1655150509, api_et=1655136060.000000000, api_lt=1655150460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136060.000000000, search_lt=1655150460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2572", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28408514, total_slices=1448092, decompressed_slices=469947, duration.command.search.index=15533, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=143726, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13273464, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 20:01:38.705, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655150400_46366', total_run_time=42.39, event_count=0, result_count=0, available_count=0, scan_count=28406381, drop_count=0, exec_time=1655150449, api_et=1655136000.000000000, api_lt=1655150400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136000.000000000, search_lt=1655150400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=28406381, total_slices=1445595, decompressed_slices=469824, duration.command.search.index=15716, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=139499, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13270623, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 19:44:55.771, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655149380_46082', total_run_time=22.69, event_count=0, result_count=0, available_count=0, scan_count=3179, drop_count=0, exec_time=1655149418, api_et=1655145780.000000000, api_lt=1655149380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655145780.000000000, search_lt=1655149420.101522000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_570d1427c54d3fce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3179, total_slices=694940, decompressed_slices=1118, duration.command.search.index=1184, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4665, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:34:32.877, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655148780_45878', total_run_time=46.24, event_count=0, result_count=0, available_count=0, scan_count=40331220, drop_count=0, exec_time=1655148805, api_et=1655145180.000000000, api_lt=1655148780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655145180.000000000, search_lt=1655148807.321222000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9b7189dcd4e487c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1850, eliminated_buckets=135, considered_events=40331220, total_slices=14240795, decompressed_slices=4101542, duration.command.search.index=21983, invocations.command.search.index.bucketcache.hit=1847, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=248485, invocations.command.search.rawdata.bucketcache.hit=275, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:16:26.285, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655147760_45541', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655147770, api_et=1655143560.000000000, api_lt=1655147160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655144160.000000000, search_lt=1655147772.594175000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3472", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b7038e90d21c060d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1004, eliminated_buckets=323, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1064, invocations.command.search.index.bucketcache.hit=1004, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:14:56.574, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655147640_45501', total_run_time=7.04, event_count=0, result_count=0, available_count=0, scan_count=22276, drop_count=0, exec_time=1655147664, api_et=1655144040.000000000, api_lt=1655147640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655144040.000000000, search_lt=1655147665.848226000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=281, considered_events=22837, total_slices=586827, decompressed_slices=5646, duration.command.search.index=1528, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7448, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=65, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=550, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1509, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=335, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=16, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=447, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 19:11:26.394, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655147460_45435', total_run_time=5.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655147464, api_et=1655143860.000000000, api_lt=1655147460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655143860.000000000, search_lt=1655147466.725403000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_018df583e445925a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=42, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:09:44.676, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655147340_45404', total_run_time=22.84, event_count=0, result_count=0, available_count=0, scan_count=5660214, drop_count=0, exec_time=1655147345, api_et=1655143140.000000000, api_lt=1655146740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655143140.000000000, search_lt=1655146740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3180", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_776da6ae5934b11d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=823, eliminated_buckets=385, considered_events=5660214, total_slices=1290932, decompressed_slices=256707, duration.command.search.index=4750, invocations.command.search.index.bucketcache.hit=818, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40164, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=149, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:09:22.095, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655147220_45380', total_run_time=7.80, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655147246, api_et=1655143620.000000000, api_lt=1655147220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655143620.000000000, search_lt=1655147247.932911000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4e2d42e0e1233a8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=208, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1001, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 19:09:22.064, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655147220_45391', total_run_time=21.54, event_count=1133, result_count=62, available_count=0, scan_count=523796, drop_count=0, exec_time=1655147284, api_et=1655143620.000000000, api_lt=1655147220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655143620.000000000, search_lt=1655147286.768786000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3243", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=208, considered_events=529113, total_slices=594391, decompressed_slices=132752, duration.command.search.index=4101, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40572, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=412277, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38609, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 18:44:05.340, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655145780_44906', total_run_time=22.54, event_count=0, result_count=0, available_count=0, scan_count=4062, drop_count=0, exec_time=1655145818, api_et=1655142180.000000000, api_lt=1655145780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655142180.000000000, search_lt=1655145820.454955000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0503c40066dc0da2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=4062, total_slices=808562, decompressed_slices=1199, duration.command.search.index=1188, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5080, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 18:34:31.534, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655145180_44698', total_run_time=40.39, event_count=0, result_count=0, available_count=0, scan_count=39975204, drop_count=0, exec_time=1655145206, api_et=1655141580.000000000, api_lt=1655145180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655141580.000000000, search_lt=1655145208.119870000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3893", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8260dfc16b5df721", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1819, eliminated_buckets=135, considered_events=39975204, total_slices=13824985, decompressed_slices=4042162, duration.command.search.index=14635, invocations.command.search.index.bucketcache.hit=1817, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230077, invocations.command.search.rawdata.bucketcache.hit=246, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 18:16:30.412, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655144160_44346', total_run_time=9.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655144169, api_et=1655139960.000000000, api_lt=1655143560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655140560.000000000, search_lt=1655144171.786641000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3260", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_63c1920e438fd2da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=326, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=996, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 18:14:30.513, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655144040_44306', total_run_time=4.53, event_count=0, result_count=0, available_count=0, scan_count=22653, drop_count=0, exec_time=1655144063, api_et=1655140440.000000000, api_lt=1655144040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655140440.000000000, search_lt=1655144065.449583000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=279, considered_events=22781, total_slices=693028, decompressed_slices=5444, duration.command.search.index=1562, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6379, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=570, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1544, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=361, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=12, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=379, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=17, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 18:11:58.598, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655143620_44184', total_run_time=18.28, event_count=1189, result_count=67, available_count=0, scan_count=569850, drop_count=0, exec_time=1655143680, api_et=1655140020.000000000, api_lt=1655143620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655140020.000000000, search_lt=1655143682.018739000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=211, considered_events=574584, total_slices=528277, decompressed_slices=139970, duration.command.search.index=4160, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39573, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=447105, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=45139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 18:11:58.354, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655143740_44204', total_run_time=25.21, event_count=1, result_count=1, available_count=0, scan_count=5565390, drop_count=0, exec_time=1655143745, api_et=1655139540.000000000, api_lt=1655143140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655139540.000000000, search_lt=1655143140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3115", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_83059d25e22eaec5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=815, eliminated_buckets=379, considered_events=5565390, total_slices=1284322, decompressed_slices=254893, duration.command.search.index=2108, invocations.command.search.index.bucketcache.hit=814, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39129, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=171, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 18:11:56.894, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655143860_44238', total_run_time=5.56, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655143864, api_et=1655140260.000000000, api_lt=1655143860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655140260.000000000, search_lt=1655143867.074957000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e5532615a50ee647", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=46, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 18:11:56.827, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655143620_44179', total_run_time=5.75, event_count=0, result_count=0, available_count=0, scan_count=66, drop_count=0, exec_time=1655143646, api_et=1655140020.000000000, api_lt=1655143620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655140020.000000000, search_lt=1655143648.469679000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2879", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b85010152e7ab091", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=211, considered_events=66, total_slices=306891, decompressed_slices=66, duration.command.search.index=984, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4619, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:44:13.798, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655142180_43716', total_run_time=21.41, event_count=0, result_count=0, available_count=0, scan_count=3454, drop_count=0, exec_time=1655142218, api_et=1655138580.000000000, api_lt=1655142180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655138580.000000000, search_lt=1655142220.411321000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_32123f41be4116df", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3454, total_slices=870073, decompressed_slices=1065, duration.command.search.index=1168, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4740, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:34:24.118, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655141580_43511', total_run_time=47.98, event_count=0, result_count=0, available_count=0, scan_count=39685648, drop_count=0, exec_time=1655141605, api_et=1655137980.000000000, api_lt=1655141580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655137980.000000000, search_lt=1655141607.663140000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9e858d2de863dd8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1821, eliminated_buckets=135, considered_events=39685648, total_slices=13934993, decompressed_slices=3993559, duration.command.search.index=16454, invocations.command.search.index.bucketcache.hit=1818, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238063, invocations.command.search.rawdata.bucketcache.hit=261, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:16:32.826, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655140560_43163', total_run_time=8.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655140571, api_et=1655136360.000000000, api_lt=1655139960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136960.000000000, search_lt=1655140573.112596000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3286", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_745987ffcc80ea0d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1005, eliminated_buckets=328, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=801, invocations.command.search.index.bucketcache.hit=1005, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:14:32.641, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655140440_43122', total_run_time=5.54, event_count=0, result_count=0, available_count=0, scan_count=13517, drop_count=0, exec_time=1655140463, api_et=1655136840.000000000, api_lt=1655140440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136840.000000000, search_lt=1655140465.619489000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3047", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=282, considered_events=13517, total_slices=840533, decompressed_slices=4464, duration.command.search.index=1492, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6164, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=537, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1434, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=337, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=17, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=521, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 17:11:32.926, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655140260_43056', total_run_time=5.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655140264, api_et=1655136660.000000000, api_lt=1655140260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136660.000000000, search_lt=1655140266.339565000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3101", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2c92cdc0ed74823f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:10:02.893, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655140020_43000', total_run_time=6.02, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655140046, api_et=1655136420.000000000, api_lt=1655140020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136420.000000000, search_lt=1655140048.042753000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_32ca887beda4b9d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=215, considered_events=1, total_slices=13643, decompressed_slices=1, duration.command.search.index=1021, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:10:02.650, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655140140_43025', total_run_time=21.78, event_count=0, result_count=0, available_count=0, scan_count=5648869, drop_count=0, exec_time=1655140145, api_et=1655135940.000000000, api_lt=1655139540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655135940.000000000, search_lt=1655139540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fb688ddbf48c398d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=369, considered_events=5648869, total_slices=1285818, decompressed_slices=258413, duration.command.search.index=2018, invocations.command.search.index.bucketcache.hit=802, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39542, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=195, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 17:10:01.868, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655140020_43006', total_run_time=18.33, event_count=1200, result_count=67, available_count=0, scan_count=578905, drop_count=0, exec_time=1655140080, api_et=1655136420.000000000, api_lt=1655140020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655136420.000000000, search_lt=1655140081.989246000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=215, considered_events=585651, total_slices=551387, decompressed_slices=133853, duration.command.search.index=3928, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37766, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=457376, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39124, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 17:00:25.537, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139540_42811', total_run_time=16.10, event_count=0, result_count=0, available_count=0, scan_count=24735870, drop_count=0, exec_time=1655139590, api_et=1655125140.000000000, api_lt=1655139540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125140.000000000, search_lt=1655139540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24735870, total_slices=1431445, decompressed_slices=424457, duration.command.search.index=9268, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68452, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12657118, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:59:25.395, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139480_42798', total_run_time=16.36, event_count=0, result_count=0, available_count=0, scan_count=24705768, drop_count=0, exec_time=1655139530, api_et=1655125080.000000000, api_lt=1655139480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125080.000000000, search_lt=1655139480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24705768, total_slices=1429510, decompressed_slices=424162, duration.command.search.index=8790, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64844, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12652276, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:58:12.370, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139360_42762', total_run_time=16.60, event_count=0, result_count=0, available_count=0, scan_count=24651515, drop_count=0, exec_time=1655139409, api_et=1655124960.000000000, api_lt=1655139360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124960.000000000, search_lt=1655139360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24651515, total_slices=1425360, decompressed_slices=423555, duration.command.search.index=9375, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63400, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12641483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:58:11.689, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139420_42781', total_run_time=21.29, event_count=0, result_count=0, available_count=0, scan_count=24676668, drop_count=0, exec_time=1655139470, api_et=1655125020.000000000, api_lt=1655139420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125020.000000000, search_lt=1655139420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3389", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24676668, total_slices=1427480, decompressed_slices=423813, duration.command.search.index=11178, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82602, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12647494, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:56:25.282, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139300_42751', total_run_time=16.62, event_count=0, result_count=0, available_count=0, scan_count=24628285, drop_count=0, exec_time=1655139349, api_et=1655124900.000000000, api_lt=1655139300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124900.000000000, search_lt=1655139300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24628285, total_slices=1423512, decompressed_slices=423310, duration.command.search.index=9482, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66547, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12637685, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:55:26.831, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139240_42735', total_run_time=19.76, event_count=0, result_count=0, available_count=0, scan_count=24605580, drop_count=0, exec_time=1655139289, api_et=1655124840.000000000, api_lt=1655139240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124840.000000000, search_lt=1655139240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24605580, total_slices=1421527, decompressed_slices=423056, duration.command.search.index=12043, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80332, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12634543, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:54:15.377, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139180_42718', total_run_time=16.07, event_count=0, result_count=0, available_count=0, scan_count=24584701, drop_count=0, exec_time=1655139230, api_et=1655124780.000000000, api_lt=1655139180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124780.000000000, search_lt=1655139180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2970", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=24584701, total_slices=1419282, decompressed_slices=422728, duration.command.search.index=9594, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66670, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12631137, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:53:52.431, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139120_42693', total_run_time=21.32, event_count=0, result_count=0, available_count=0, scan_count=24553724, drop_count=0, exec_time=1655139170, api_et=1655124720.000000000, api_lt=1655139120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124720.000000000, search_lt=1655139120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24553724, total_slices=1417259, decompressed_slices=422386, duration.command.search.index=10208, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77422, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12624324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:52:10.964, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139060_42676', total_run_time=19.13, event_count=0, result_count=0, available_count=0, scan_count=24527872, drop_count=0, exec_time=1655139109, api_et=1655124660.000000000, api_lt=1655139060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124660.000000000, search_lt=1655139060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24527872, total_slices=1415285, decompressed_slices=422090, duration.command.search.index=10764, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80186, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12618271, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:51:12.932, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655139000_42652', total_run_time=22.44, event_count=0, result_count=0, available_count=0, scan_count=24505830, drop_count=0, exec_time=1655139049, api_et=1655124600.000000000, api_lt=1655139000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124600.000000000, search_lt=1655139000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24505830, total_slices=1413363, decompressed_slices=421766, duration.command.search.index=10704, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79002, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12613212, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:50:30.876, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138940_42629', total_run_time=30.20, event_count=0, result_count=0, available_count=0, scan_count=24481407, drop_count=0, exec_time=1655138989, api_et=1655124540.000000000, api_lt=1655138940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124540.000000000, search_lt=1655138940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24481407, total_slices=1411245, decompressed_slices=421439, duration.command.search.index=11057, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86508, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12608316, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:50:08.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138760_42567', total_run_time=32.57, event_count=0, result_count=0, available_count=0, scan_count=24399732, drop_count=0, exec_time=1655138809, api_et=1655124360.000000000, api_lt=1655138760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124360.000000000, search_lt=1655138760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24399732, total_slices=1405250, decompressed_slices=420531, duration.command.search.index=10414, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79661, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12592846, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:50:08.103, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138880_42606', total_run_time=27.45, event_count=0, result_count=0, available_count=0, scan_count=24454340, drop_count=0, exec_time=1655138930, api_et=1655124480.000000000, api_lt=1655138880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124480.000000000, search_lt=1655138880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2357", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24454340, total_slices=1409272, decompressed_slices=421118, duration.command.search.index=11362, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87949, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12602840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:50:07.949, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138820_42589', total_run_time=28.14, event_count=0, result_count=0, available_count=0, scan_count=24423991, drop_count=0, exec_time=1655138870, api_et=1655124420.000000000, api_lt=1655138820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124420.000000000, search_lt=1655138820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24423991, total_slices=1407326, decompressed_slices=420805, duration.command.search.index=9623, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71783, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12597094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:46:21.353, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138700_42549', total_run_time=18.57, event_count=0, result_count=0, available_count=0, scan_count=24374649, drop_count=0, exec_time=1655138750, api_et=1655124300.000000000, api_lt=1655138700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124300.000000000, search_lt=1655138700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2566", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24374649, total_slices=1403031, decompressed_slices=420234, duration.command.search.index=8782, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65710, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12588850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:45:10.565, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138640_42527', total_run_time=19.00, event_count=0, result_count=0, available_count=0, scan_count=24350101, drop_count=0, exec_time=1655138689, api_et=1655124240.000000000, api_lt=1655138640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124240.000000000, search_lt=1655138640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3234", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24350101, total_slices=1401221, decompressed_slices=420082, duration.command.search.index=9125, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66327, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12584169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:44:50.080, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138580_42506', total_run_time=23.00, event_count=0, result_count=0, available_count=0, scan_count=24324471, drop_count=0, exec_time=1655138629, api_et=1655124180.000000000, api_lt=1655138580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124180.000000000, search_lt=1655138580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3182", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=24324471, total_slices=1399203, decompressed_slices=419820, duration.command.search.index=9893, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67607, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12579120, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:44:49.963, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138460_42454', total_run_time=37.00, event_count=0, result_count=0, available_count=0, scan_count=24263193, drop_count=0, exec_time=1655138509, api_et=1655124060.000000000, api_lt=1655138460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124060.000000000, search_lt=1655138460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=24263193, total_slices=1421988, decompressed_slices=419123, duration.command.search.index=10723, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81658, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12562224, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:44:49.355, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138520_42477', total_run_time=35.94, event_count=0, result_count=0, available_count=0, scan_count=24294315, drop_count=0, exec_time=1655138570, api_et=1655124120.000000000, api_lt=1655138520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124120.000000000, search_lt=1655138520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2562", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24294315, total_slices=1423504, decompressed_slices=419553, duration.command.search.index=12168, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101461, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12570971, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:44:47.994, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655138580_42503', total_run_time=29.32, event_count=0, result_count=0, available_count=0, scan_count=3808, drop_count=0, exec_time=1655138618, api_et=1655134980.000000000, api_lt=1655138580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655134980.000000000, search_lt=1655138620.769263000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_53503e0d2e495b42", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=3808, total_slices=967848, decompressed_slices=1167, duration.command.search.index=1502, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6125, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:41:35.956, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138400_42429', total_run_time=22.69, event_count=0, result_count=0, available_count=0, scan_count=24239055, drop_count=0, exec_time=1655138449, api_et=1655124000.000000000, api_lt=1655138400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124000.000000000, search_lt=1655138400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24239055, total_slices=1419430, decompressed_slices=419015, duration.command.search.index=9838, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65909, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12556670, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:40:22.074, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138340_42407', total_run_time=18.67, event_count=0, result_count=0, available_count=0, scan_count=24212356, drop_count=0, exec_time=1655138390, api_et=1655123940.000000000, api_lt=1655138340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123940.000000000, search_lt=1655138340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24212356, total_slices=1417497, decompressed_slices=418708, duration.command.search.index=8889, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65109, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12550243, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:39:54.129, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138220_42376', total_run_time=13.86, event_count=0, result_count=0, available_count=0, scan_count=24153005, drop_count=0, exec_time=1655138270, api_et=1655123820.000000000, api_lt=1655138220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123820.000000000, search_lt=1655138220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2563", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24153005, total_slices=1440601, decompressed_slices=418024, duration.command.search.index=8600, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59823, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12532592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:39:53.846, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138280_42391', total_run_time=14.47, event_count=0, result_count=0, available_count=0, scan_count=24185260, drop_count=0, exec_time=1655138329, api_et=1655123880.000000000, api_lt=1655138280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123880.000000000, search_lt=1655138280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2542", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24185260, total_slices=1442657, decompressed_slices=418401, duration.command.search.index=8896, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59886, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12543066, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:37:21.267, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138160_42361', total_run_time=15.91, event_count=0, result_count=0, available_count=0, scan_count=24125510, drop_count=0, exec_time=1655138209, api_et=1655123760.000000000, api_lt=1655138160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123760.000000000, search_lt=1655138160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24125510, total_slices=1438618, decompressed_slices=417742, duration.command.search.index=8375, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59448, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12521317, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:36:19.822, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138100_42351', total_run_time=21.95, event_count=0, result_count=0, available_count=0, scan_count=24093602, drop_count=0, exec_time=1655138150, api_et=1655123700.000000000, api_lt=1655138100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123700.000000000, search_lt=1655138100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2131", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=24093602, total_slices=1436472, decompressed_slices=417461, duration.command.search.index=8350, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61484, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12509502, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:35:21.194, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655138040_42330', total_run_time=28.48, event_count=0, result_count=0, available_count=0, scan_count=24065000, drop_count=0, exec_time=1655138089, api_et=1655123640.000000000, api_lt=1655138040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123640.000000000, search_lt=1655138040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24065000, total_slices=1460933, decompressed_slices=417172, duration.command.search.index=10490, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68110, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12499247, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:34:20.822, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137980_42294', total_run_time=28.95, event_count=0, result_count=0, available_count=0, scan_count=24032286, drop_count=0, exec_time=1655138029, api_et=1655123580.000000000, api_lt=1655137980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123580.000000000, search_lt=1655137980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=24032286, total_slices=1458781, decompressed_slices=416820, duration.command.search.index=10123, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72566, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12487099, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:34:20.584, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655137980_42282', total_run_time=39.71, event_count=0, result_count=0, available_count=0, scan_count=39735450, drop_count=0, exec_time=1655138006, api_et=1655134380.000000000, api_lt=1655137980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655134380.000000000, search_lt=1655138008.300739000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3710", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1b460a811ad7f53e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1809, eliminated_buckets=134, considered_events=39735450, total_slices=14080086, decompressed_slices=4014277, duration.command.search.index=14297, invocations.command.search.index.bucketcache.hit=1805, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230600, invocations.command.search.rawdata.bucketcache.hit=268, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:33:49.750, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137920_42257', total_run_time=42.08, event_count=0, result_count=0, available_count=0, scan_count=23999248, drop_count=0, exec_time=1655137970, api_et=1655123520.000000000, api_lt=1655137920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123520.000000000, search_lt=1655137920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23999248, total_slices=1456492, decompressed_slices=416401, duration.command.search.index=10802, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88003, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12476005, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:32:49.908, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137860_42228', total_run_time=48.34, event_count=0, result_count=0, available_count=0, scan_count=23967327, drop_count=0, exec_time=1655137909, api_et=1655123460.000000000, api_lt=1655137860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123460.000000000, search_lt=1655137860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3312", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23967327, total_slices=1454302, decompressed_slices=415965, duration.command.search.index=10246, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78069, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12462910, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:31:50.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137800_42199', total_run_time=53.44, event_count=0, result_count=0, available_count=0, scan_count=23937822, drop_count=0, exec_time=1655137849, api_et=1655123400.000000000, api_lt=1655137800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123400.000000000, search_lt=1655137800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3033", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23937822, total_slices=1452477, decompressed_slices=415676, duration.command.search.index=10104, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73088, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12452007, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:30:19.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137740_42171', total_run_time=25.18, event_count=0, result_count=0, available_count=0, scan_count=23904931, drop_count=0, exec_time=1655137789, api_et=1655123340.000000000, api_lt=1655137740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123340.000000000, search_lt=1655137740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23904931, total_slices=1450444, decompressed_slices=415276, duration.command.search.index=8662, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73683, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12439485, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:29:49.706, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137680_42157', total_run_time=55.40, event_count=0, result_count=0, available_count=0, scan_count=23874487, drop_count=0, exec_time=1655137729, api_et=1655123280.000000000, api_lt=1655137680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123280.000000000, search_lt=1655137680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23874487, total_slices=1448342, decompressed_slices=414882, duration.command.search.index=9034, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66001, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12426898, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:29:05.907, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137620_42142', total_run_time=27.18, event_count=0, result_count=0, available_count=0, scan_count=23844285, drop_count=0, exec_time=1655137669, api_et=1655123220.000000000, api_lt=1655137620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123220.000000000, search_lt=1655137620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23844285, total_slices=1446337, decompressed_slices=414609, duration.command.search.index=8619, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68105, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12415853, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:27:24.703, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137560_42123', total_run_time=25.77, event_count=0, result_count=0, available_count=0, scan_count=23814242, drop_count=0, exec_time=1655137609, api_et=1655123160.000000000, api_lt=1655137560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123160.000000000, search_lt=1655137560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23814242, total_slices=1444232, decompressed_slices=414223, duration.command.search.index=8735, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65597, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12405221, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:26:24.681, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137500_42107', total_run_time=25.24, event_count=0, result_count=0, available_count=0, scan_count=23782848, drop_count=0, exec_time=1655137549, api_et=1655123100.000000000, api_lt=1655137500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123100.000000000, search_lt=1655137500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3144", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23782848, total_slices=1442229, decompressed_slices=413801, duration.command.search.index=9055, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68286, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12396436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:25:54.761, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137440_42093', total_run_time=37.78, event_count=0, result_count=0, available_count=0, scan_count=23752205, drop_count=0, exec_time=1655137489, api_et=1655123040.000000000, api_lt=1655137440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123040.000000000, search_lt=1655137440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2588", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23752205, total_slices=1440125, decompressed_slices=413472, duration.command.search.index=10373, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78600, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12388684, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:24:24.637, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137380_42075', total_run_time=34.08, event_count=0, result_count=0, available_count=0, scan_count=23724235, drop_count=0, exec_time=1655137429, api_et=1655122980.000000000, api_lt=1655137380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122980.000000000, search_lt=1655137380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23724235, total_slices=1438076, decompressed_slices=413237, duration.command.search.index=10143, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77244, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12381891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:23:40.136, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137320_42043', total_run_time=38.42, event_count=0, result_count=0, available_count=0, scan_count=23694616, drop_count=0, exec_time=1655137369, api_et=1655122920.000000000, api_lt=1655137320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122920.000000000, search_lt=1655137320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2924", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23694616, total_slices=1462245, decompressed_slices=412874, duration.command.search.index=9592, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75383, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12374648, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:22:24.807, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137260_42027', total_run_time=24.96, event_count=0, result_count=0, available_count=0, scan_count=23671411, drop_count=0, exec_time=1655137309, api_et=1655122860.000000000, api_lt=1655137260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122860.000000000, search_lt=1655137260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2622", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=23671411, total_slices=1486798, decompressed_slices=412629, duration.command.search.index=11045, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81306, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12366781, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:21:54.821, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655137200_42000', total_run_time=29.27, event_count=12360673, result_count=15, available_count=0, scan_count=23648180, drop_count=0, exec_time=1655137257, api_et=1655122800.000000000, api_lt=1655137200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122800.000000000, search_lt=1655137200.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=23648180, total_slices=1485099, decompressed_slices=412426, duration.command.search.index=10442, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81218, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12360673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:21:54.571, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137200_41997', total_run_time=36.93, event_count=0, result_count=0, available_count=0, scan_count=23648198, drop_count=0, exec_time=1655137250, api_et=1655122800.000000000, api_lt=1655137200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122800.000000000, search_lt=1655137200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=23648198, total_slices=1484747, decompressed_slices=412434, duration.command.search.index=11128, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84357, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12360673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:20:24.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137140_41972', total_run_time=26.86, event_count=0, result_count=0, available_count=0, scan_count=23626840, drop_count=0, exec_time=1655137189, api_et=1655122740.000000000, api_lt=1655137140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122740.000000000, search_lt=1655137140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23626840, total_slices=1509567, decompressed_slices=412085, duration.command.search.index=10487, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95646, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12355577, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:19:24.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137080_41947', total_run_time=25.70, event_count=0, result_count=0, available_count=0, scan_count=23600568, drop_count=0, exec_time=1655137129, api_et=1655122680.000000000, api_lt=1655137080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122680.000000000, search_lt=1655137080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23600568, total_slices=1507674, decompressed_slices=411741, duration.command.search.index=11381, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93935, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12347289, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:18:25.331, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655137020_41926', total_run_time=25.70, event_count=0, result_count=0, available_count=0, scan_count=23578238, drop_count=0, exec_time=1655137069, api_et=1655122620.000000000, api_lt=1655137020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122620.000000000, search_lt=1655137020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23578238, total_slices=1505523, decompressed_slices=411472, duration.command.search.index=13099, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82045, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12341860, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:17:25.038, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136960_41902', total_run_time=33.18, event_count=0, result_count=0, available_count=0, scan_count=23555766, drop_count=0, exec_time=1655137010, api_et=1655122560.000000000, api_lt=1655136960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122560.000000000, search_lt=1655136960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2551", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23555766, total_slices=1503690, decompressed_slices=411102, duration.command.search.index=11089, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90263, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12334819, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:16:54.760, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136900_41886', total_run_time=34.90, event_count=0, result_count=0, available_count=0, scan_count=23529382, drop_count=0, exec_time=1655136950, api_et=1655122500.000000000, api_lt=1655136900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122500.000000000, search_lt=1655136900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2586", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23529382, total_slices=1501603, decompressed_slices=410776, duration.command.search.index=11407, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98332, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12326940, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:16:24.831, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655136960_41896', total_run_time=9.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655136971, api_et=1655132760.000000000, api_lt=1655136360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655133360.000000000, search_lt=1655136972.961100000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5f1f3a07b5d2e94a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1008, eliminated_buckets=329, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=965, invocations.command.search.index.bucketcache.hit=1008, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:15:24.733, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136840_41865', total_run_time=25.12, event_count=0, result_count=0, available_count=0, scan_count=23510320, drop_count=0, exec_time=1655136889, api_et=1655122440.000000000, api_lt=1655136840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122440.000000000, search_lt=1655136840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23510320, total_slices=1499556, decompressed_slices=410633, duration.command.search.index=10077, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81784, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12322100, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:14:54.528, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655136840_41853', total_run_time=27.88, event_count=0, result_count=0, available_count=0, scan_count=14801, drop_count=0, exec_time=1655136863, api_et=1655133240.000000000, api_lt=1655136840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655133240.000000000, search_lt=1655136865.180031000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=291, considered_events=14893, total_slices=785866, decompressed_slices=4328, duration.command.search.index=4247, invocations.command.search.index.bucketcache.hit=426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7670, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=96, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=484, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1283, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=296, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=14, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=436, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=14, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 16:14:24.563, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136780_41843', total_run_time=32.43, event_count=0, result_count=0, available_count=0, scan_count=23488686, drop_count=0, exec_time=1655136829, api_et=1655122380.000000000, api_lt=1655136780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122380.000000000, search_lt=1655136780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23488686, total_slices=1497583, decompressed_slices=410451, duration.command.search.index=10134, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76612, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12317102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:13:24.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136720_41816', total_run_time=24.90, event_count=0, result_count=0, available_count=0, scan_count=23468045, drop_count=0, exec_time=1655136769, api_et=1655122320.000000000, api_lt=1655136720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122320.000000000, search_lt=1655136720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2690", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23468045, total_slices=1495682, decompressed_slices=410103, duration.command.search.index=10926, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86210, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12312613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:13:08.316, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136660_41798', total_run_time=43.48, event_count=0, result_count=0, available_count=0, scan_count=23448061, drop_count=0, exec_time=1655136710, api_et=1655122260.000000000, api_lt=1655136660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122260.000000000, search_lt=1655136660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3067", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=23448061, total_slices=1493316, decompressed_slices=409778, duration.command.search.index=10320, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90771, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12307565, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:11:25.174, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136600_41773', total_run_time=35.20, event_count=0, result_count=0, available_count=0, scan_count=23427847, drop_count=0, exec_time=1655136649, api_et=1655122200.000000000, api_lt=1655136600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122200.000000000, search_lt=1655136600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2609", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=23427847, total_slices=1491799, decompressed_slices=409667, duration.command.search.index=12103, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105156, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12304037, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:11:24.960, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655136660_41780', total_run_time=5.43, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655136664, api_et=1655133060.000000000, api_lt=1655136660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655133060.000000000, search_lt=1655136666.978661000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3345", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5bbce214ab6b2bc1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:10:44.373, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136540_41754', total_run_time=39.79, event_count=0, result_count=0, available_count=0, scan_count=23409229, drop_count=0, exec_time=1655136589, api_et=1655122140.000000000, api_lt=1655136540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122140.000000000, search_lt=1655136540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="4519", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=23409229, total_slices=1489951, decompressed_slices=409432, duration.command.search.index=13349, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=151466, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12299995, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:10:24.194, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136420_41721', total_run_time=28.57, event_count=0, result_count=0, available_count=0, scan_count=23365631, drop_count=0, exec_time=1655136470, api_et=1655122020.000000000, api_lt=1655136420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122020.000000000, search_lt=1655136420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23365631, total_slices=1485975, decompressed_slices=408916, duration.command.search.index=11691, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99606, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12292401, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:10:23.974, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655136540_41746', total_run_time=24.67, event_count=0, result_count=0, available_count=0, scan_count=5567139, drop_count=0, exec_time=1655136546, api_et=1655132340.000000000, api_lt=1655135940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655132340.000000000, search_lt=1655135940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3003", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_11a7e8310bd4fd5f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=358, considered_events=5567139, total_slices=1417041, decompressed_slices=255848, duration.command.search.index=10984, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=44971, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=211, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:10:23.971, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655136420_41724', total_run_time=22.83, event_count=1101, result_count=64, available_count=0, scan_count=560927, drop_count=0, exec_time=1655136480, api_et=1655132820.000000000, api_lt=1655136420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655132820.000000000, search_lt=1655136482.429311000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=429, eliminated_buckets=207, considered_events=567802, total_slices=726572, decompressed_slices=120811, duration.command.search.index=11530, invocations.command.search.index.bucketcache.hit=429, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49756, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=450689, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34411, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 16:10:23.940, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655136420_41716', total_run_time=14.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655136446, api_et=1655132820.000000000, api_lt=1655136420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655132820.000000000, search_lt=1655136448.103425000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_41d8d18238ae8a86", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=429, eliminated_buckets=207, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=10770, invocations.command.search.index.bucketcache.hit=429, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 16:10:23.667, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136480_41738', total_run_time=23.95, event_count=0, result_count=0, available_count=0, scan_count=23388753, drop_count=0, exec_time=1655136530, api_et=1655122080.000000000, api_lt=1655136480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122080.000000000, search_lt=1655136480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23388753, total_slices=1487773, decompressed_slices=409204, duration.command.search.index=11912, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95619, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12297154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:07:24.958, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136360_41700', total_run_time=28.84, event_count=0, result_count=0, available_count=0, scan_count=23347623, drop_count=0, exec_time=1655136410, api_et=1655121960.000000000, api_lt=1655136360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121960.000000000, search_lt=1655136360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2605", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23347623, total_slices=1483876, decompressed_slices=408724, duration.command.search.index=11728, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105153, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12288150, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:06:25.080, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136300_41686', total_run_time=32.90, event_count=0, result_count=0, available_count=0, scan_count=23327594, drop_count=0, exec_time=1655136350, api_et=1655121900.000000000, api_lt=1655136300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121900.000000000, search_lt=1655136300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3048", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23327594, total_slices=1482022, decompressed_slices=408406, duration.command.search.index=11526, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108262, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12283973, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:05:41.300, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136240_41669', total_run_time=51.09, event_count=0, result_count=0, available_count=0, scan_count=23304612, drop_count=0, exec_time=1655136290, api_et=1655121840.000000000, api_lt=1655136240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121840.000000000, search_lt=1655136240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23304612, total_slices=1480062, decompressed_slices=408032, duration.command.search.index=18130, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=188993, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12279473, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:05:14.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136180_41627', total_run_time=46.69, event_count=0, result_count=0, available_count=0, scan_count=23283086, drop_count=0, exec_time=1655136229, api_et=1655121780.000000000, api_lt=1655136180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121780.000000000, search_lt=1655136180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=23283086, total_slices=1478086, decompressed_slices=407710, duration.command.search.index=21261, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222270, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12275545, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:05:14.293, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136060_41551', total_run_time=50.51, event_count=0, result_count=0, available_count=0, scan_count=23233853, drop_count=0, exec_time=1655136109, api_et=1655121660.000000000, api_lt=1655136060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121660.000000000, search_lt=1655136060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2539", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=23233853, total_slices=1474133, decompressed_slices=406928, duration.command.search.index=21070, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=203069, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12265438, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:05:13.195, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136120_41582', total_run_time=48.26, event_count=0, result_count=0, available_count=0, scan_count=23258901, drop_count=0, exec_time=1655136169, api_et=1655121720.000000000, api_lt=1655136120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121720.000000000, search_lt=1655136120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=23258901, total_slices=1476048, decompressed_slices=407348, duration.command.search.index=18942, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223512, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12270391, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 16:01:50.932, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655136000_41521', total_run_time=46.86, event_count=0, result_count=0, available_count=0, scan_count=23207936, drop_count=0, exec_time=1655136050, api_et=1655121600.000000000, api_lt=1655136000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121600.000000000, search_lt=1655136000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=23207936, total_slices=1472042, decompressed_slices=406636, duration.command.search.index=19397, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230770, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12261555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 15:44:17.280, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655134980_41233', total_run_time=31.63, event_count=0, result_count=0, available_count=0, scan_count=3380, drop_count=0, exec_time=1655135018, api_et=1655131380.000000000, api_lt=1655134980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655131380.000000000, search_lt=1655135020.440019000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9ef24ba2a64cf70d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=1, considered_events=3380, total_slices=904719, decompressed_slices=1023, duration.command.search.index=1323, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4969, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 15:37:18.505, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655134380_41027', total_run_time=43.54, event_count=0, result_count=0, available_count=0, scan_count=39921958, drop_count=0, exec_time=1655134405, api_et=1655130780.000000000, api_lt=1655134380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655130780.000000000, search_lt=1655134407.545353000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_07931f5fac0ae218", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1806, eliminated_buckets=134, considered_events=39921958, total_slices=13892483, decompressed_slices=4026578, duration.command.search.index=16856, invocations.command.search.index.bucketcache.hit=1803, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228229, invocations.command.search.rawdata.bucketcache.hit=259, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 15:16:51.774, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655133360_40687', total_run_time=24.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655133370, api_et=1655129160.000000000, api_lt=1655132760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655129760.000000000, search_lt=1655133372.464232000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3415", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5f94eee1d6b8be6c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1009, eliminated_buckets=331, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=851, invocations.command.search.index.bucketcache.hit=1009, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 15:14:51.929, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655133240_40647', total_run_time=7.80, event_count=0, result_count=0, available_count=0, scan_count=14987, drop_count=0, exec_time=1655133263, api_et=1655129640.000000000, api_lt=1655133240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655129640.000000000, search_lt=1655133265.224436000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=282, considered_events=15018, total_slices=645792, decompressed_slices=3931, duration.command.search.index=1328, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6142, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=67, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=415, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=942, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=218, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=22, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=639, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=15, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 15:11:22.453, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655133060_40580', total_run_time=4.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655133064, api_et=1655129460.000000000, api_lt=1655133060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655129460.000000000, search_lt=1655133065.722606000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2268", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_60153e43306447db", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 15:09:39.705, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655132820_40523', total_run_time=7.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655132846, api_et=1655129220.000000000, api_lt=1655132820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655129220.000000000, search_lt=1655132848.339065000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2922", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_99746b162cf1bc28", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=931, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 15:09:39.585, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655132820_40533', total_run_time=17.50, event_count=1206, result_count=56, available_count=0, scan_count=531598, drop_count=0, exec_time=1655132884, api_et=1655129220.000000000, api_lt=1655132820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655129220.000000000, search_lt=1655132886.095957000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=537383, total_slices=690356, decompressed_slices=118045, duration.command.search.index=4210, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35019, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=424301, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38732, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 15:09:39.339, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655132940_40546', total_run_time=20.33, event_count=0, result_count=0, available_count=0, scan_count=5036354, drop_count=0, exec_time=1655132946, api_et=1655128740.000000000, api_lt=1655132340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655128740.000000000, search_lt=1655132340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2979", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc647ebf8ed2c278", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=822, eliminated_buckets=387, considered_events=5036354, total_slices=1261525, decompressed_slices=235162, duration.command.search.index=4930, invocations.command.search.index.bucketcache.hit=819, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37439, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=148, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:44:16.502, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655131380_40050', total_run_time=25.91, event_count=0, result_count=0, available_count=0, scan_count=3868, drop_count=0, exec_time=1655131418, api_et=1655127780.000000000, api_lt=1655131380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655127780.000000000, search_lt=1655131420.254171000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_04115aacb10ac7fe", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=2, considered_events=3868, total_slices=938770, decompressed_slices=1220, duration.command.search.index=1050, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4940, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:34:30.602, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655130780_39842', total_run_time=50.86, event_count=0, result_count=0, available_count=0, scan_count=39928569, drop_count=0, exec_time=1655130805, api_et=1655127180.000000000, api_lt=1655130780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655127180.000000000, search_lt=1655130807.589553000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_71579a29d68bd325", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1821, eliminated_buckets=134, considered_events=39928569, total_slices=13872623, decompressed_slices=4006408, duration.command.search.index=14648, invocations.command.search.index.bucketcache.hit=1816, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=245136, invocations.command.search.rawdata.bucketcache.hit=271, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:16:23.434, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655129760_39496', total_run_time=8.21, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655129771, api_et=1655125560.000000000, api_lt=1655129160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655126160.000000000, search_lt=1655129772.905550000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3555", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_00b94ba311b0143e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1005, eliminated_buckets=331, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=854, invocations.command.search.index.bucketcache.hit=1004, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:14:53.634, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655129640_39456', total_run_time=4.28, event_count=0, result_count=0, available_count=0, scan_count=16755, drop_count=0, exec_time=1655129663, api_et=1655126040.000000000, api_lt=1655129640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655126040.000000000, search_lt=1655129665.287980000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=285, considered_events=16906, total_slices=527459, decompressed_slices=4022, duration.command.search.index=1252, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6142, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=73, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=334, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=925, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=188, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=21, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=527, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 14:11:23.655, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655129460_39390', total_run_time=5.93, event_count=0, result_count=0, available_count=0, scan_count=6, drop_count=0, exec_time=1655129464, api_et=1655125860.000000000, api_lt=1655129460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125860.000000000, search_lt=1655129466.527492000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3070", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aa0e83f5461d747d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=46, considered_events=6, total_slices=19762, decompressed_slices=5, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:09:53.465, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655129340_39359', total_run_time=18.37, event_count=0, result_count=0, available_count=0, scan_count=3828286, drop_count=0, exec_time=1655129345, api_et=1655125140.000000000, api_lt=1655128740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125140.000000000, search_lt=1655128740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2997", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2bf5b2a210bac0e1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=359, considered_events=3828286, total_slices=1131391, decompressed_slices=185944, duration.command.search.index=1639, invocations.command.search.index.bucketcache.hit=789, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30229, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 14:08:20.463, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655129220_39339', total_run_time=18.93, event_count=2105, result_count=114, available_count=0, scan_count=538980, drop_count=0, exec_time=1655129280, api_et=1655125620.000000000, api_lt=1655129220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125620.000000000, search_lt=1655129282.051306000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=203, considered_events=543737, total_slices=659801, decompressed_slices=122239, duration.command.search.index=3761, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34579, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=437486, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40610, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 14:08:20.123, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655129220_39334', total_run_time=4.94, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655129246, api_et=1655125620.000000000, api_lt=1655129220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655125620.000000000, search_lt=1655129248.492186000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_02b76e30dfcdf3b1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=832, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:44:25.400, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655127780_38872', total_run_time=21.60, event_count=0, result_count=0, available_count=0, scan_count=3893, drop_count=0, exec_time=1655127818, api_et=1655124180.000000000, api_lt=1655127780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655124180.000000000, search_lt=1655127819.941465000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b8078a00090d2170", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=3893, total_slices=885953, decompressed_slices=1123, duration.command.search.index=1044, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4765, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:34:25.947, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655127180_38667', total_run_time=43.81, event_count=0, result_count=0, available_count=0, scan_count=39870417, drop_count=0, exec_time=1655127205, api_et=1655123580.000000000, api_lt=1655127180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655123580.000000000, search_lt=1655127207.527843000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_47149ca4a1f94f64", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1808, eliminated_buckets=134, considered_events=39870417, total_slices=13667384, decompressed_slices=3962872, duration.command.search.index=14316, invocations.command.search.index.bucketcache.hit=1806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229575, invocations.command.search.rawdata.bucketcache.hit=253, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:16:25.897, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655126160_38330', total_run_time=11.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655126170, api_et=1655121960.000000000, api_lt=1655125560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122560.000000000, search_lt=1655126172.703837000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3238", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eaa1912dc6e8857d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1005, eliminated_buckets=334, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=831, invocations.command.search.index.bucketcache.hit=1005, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:14:55.665, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655126040_38290', total_run_time=4.22, event_count=0, result_count=0, available_count=0, scan_count=8745, drop_count=0, exec_time=1655126063, api_et=1655122440.000000000, api_lt=1655126040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122440.000000000, search_lt=1655126065.050459000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=285, considered_events=8745, total_slices=442558, decompressed_slices=2772, duration.command.search.index=1005, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5790, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=169, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=709, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=104, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=515, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 13:11:26.431, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655125860_38224', total_run_time=4.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655125864, api_et=1655122260.000000000, api_lt=1655125860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122260.000000000, search_lt=1655125866.124176000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_97829897e8f7245e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=74, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:09:45.452, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655125740_38193', total_run_time=20.17, event_count=0, result_count=0, available_count=0, scan_count=3709743, drop_count=0, exec_time=1655125746, api_et=1655121540.000000000, api_lt=1655125140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655121540.000000000, search_lt=1655125140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3094", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9cb13b32596f5c6c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=785, eliminated_buckets=359, considered_events=3709743, total_slices=1061157, decompressed_slices=177025, duration.command.search.index=1564, invocations.command.search.index.bucketcache.hit=784, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29095, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=166, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:09:24.322, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655125620_38170', total_run_time=6.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655125646, api_et=1655122020.000000000, api_lt=1655125620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122020.000000000, search_lt=1655125648.827171000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2986", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0e793a991e76730e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=785, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 13:09:23.626, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655125620_38175', total_run_time=21.32, event_count=1930, result_count=108, available_count=0, scan_count=466357, drop_count=0, exec_time=1655125680, api_et=1655122020.000000000, api_lt=1655125620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655122020.000000000, search_lt=1655125682.155576000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2762", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=203, considered_events=472025, total_slices=601780, decompressed_slices=93366, duration.command.search.index=3015, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27111, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=381079, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39365, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 13:00:11.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655125140_37981', total_run_time=12.95, event_count=0, result_count=0, available_count=0, scan_count=21664674, drop_count=0, exec_time=1655125190, api_et=1655110740.000000000, api_lt=1655125140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110740.000000000, search_lt=1655125140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21664674, total_slices=1509866, decompressed_slices=382142, duration.command.search.index=7496, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59372, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702572, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:59:11.266, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655125080_37968', total_run_time=12.99, event_count=0, result_count=0, available_count=0, scan_count=21668046, drop_count=0, exec_time=1655125130, api_et=1655110680.000000000, api_lt=1655125080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110680.000000000, search_lt=1655125080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2536", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21668046, total_slices=1508083, decompressed_slices=382143, duration.command.search.index=7183, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59948, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704773, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:58:29.274, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655125020_37953', total_run_time=12.55, event_count=0, result_count=0, available_count=0, scan_count=21671757, drop_count=0, exec_time=1655125070, api_et=1655110620.000000000, api_lt=1655125020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110620.000000000, search_lt=1655125020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21671757, total_slices=1506331, decompressed_slices=382180, duration.command.search.index=7509, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58249, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11707283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:57:11.223, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124960_37935', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=21675096, drop_count=0, exec_time=1655125009, api_et=1655110560.000000000, api_lt=1655124960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110560.000000000, search_lt=1655124960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21675096, total_slices=1504639, decompressed_slices=382161, duration.command.search.index=7491, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57963, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11711092, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:56:11.438, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124900_37924', total_run_time=13.47, event_count=0, result_count=0, available_count=0, scan_count=21674559, drop_count=0, exec_time=1655124949, api_et=1655110500.000000000, api_lt=1655124900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110500.000000000, search_lt=1655124900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21674559, total_slices=1502626, decompressed_slices=382133, duration.command.search.index=7896, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55886, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11714151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:55:11.293, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124840_37907', total_run_time=13.56, event_count=0, result_count=0, available_count=0, scan_count=21680537, drop_count=0, exec_time=1655124889, api_et=1655110440.000000000, api_lt=1655124840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110440.000000000, search_lt=1655124840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21680537, total_slices=1527978, decompressed_slices=382324, duration.command.search.index=7882, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53342, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11716873, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:54:46.449, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124780_37890', total_run_time=12.56, event_count=0, result_count=0, available_count=0, scan_count=21683297, drop_count=0, exec_time=1655124829, api_et=1655110380.000000000, api_lt=1655124780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110380.000000000, search_lt=1655124780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21683297, total_slices=1526196, decompressed_slices=382407, duration.command.search.index=7731, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52428, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11716111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:54:45.129, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124720_37866', total_run_time=14.19, event_count=0, result_count=0, available_count=0, scan_count=21686651, drop_count=0, exec_time=1655124769, api_et=1655110320.000000000, api_lt=1655124720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110320.000000000, search_lt=1655124720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21686651, total_slices=1524494, decompressed_slices=382454, duration.command.search.index=7973, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57798, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11718752, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:52:14.897, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124660_37849', total_run_time=13.70, event_count=0, result_count=0, available_count=0, scan_count=21695108, drop_count=0, exec_time=1655124710, api_et=1655110260.000000000, api_lt=1655124660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110260.000000000, search_lt=1655124660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21695108, total_slices=1522798, decompressed_slices=382625, duration.command.search.index=7896, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57521, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725932, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:51:30.307, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124600_37825', total_run_time=12.62, event_count=0, result_count=0, available_count=0, scan_count=21700906, drop_count=0, exec_time=1655124649, api_et=1655110200.000000000, api_lt=1655124600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110200.000000000, search_lt=1655124600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21700906, total_slices=1521047, decompressed_slices=382751, duration.command.search.index=7754, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58215, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11731618, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:51:04.495, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124360_37743', total_run_time=13.92, event_count=0, result_count=0, available_count=0, scan_count=21731083, drop_count=0, exec_time=1655124410, api_et=1655109960.000000000, api_lt=1655124360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109960.000000000, search_lt=1655124360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21731083, total_slices=1514236, decompressed_slices=383182, duration.command.search.index=8016, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54105, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11756228, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:51:03.857, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124540_37802', total_run_time=13.56, event_count=0, result_count=0, available_count=0, scan_count=21706741, drop_count=0, exec_time=1655124589, api_et=1655110140.000000000, api_lt=1655124540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110140.000000000, search_lt=1655124540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2890", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21706741, total_slices=1519322, decompressed_slices=382847, duration.command.search.index=7810, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56390, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11737278, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:51:03.766, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124420_37764', total_run_time=13.46, event_count=0, result_count=0, available_count=0, scan_count=21724247, drop_count=0, exec_time=1655124469, api_et=1655110020.000000000, api_lt=1655124420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110020.000000000, search_lt=1655124420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21724247, total_slices=1515881, decompressed_slices=383099, duration.command.search.index=8400, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56343, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11749153, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:51:01.523, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124480_37780', total_run_time=15.13, event_count=0, result_count=0, available_count=0, scan_count=21716282, drop_count=0, exec_time=1655124529, api_et=1655110080.000000000, api_lt=1655124480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110080.000000000, search_lt=1655124480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21716282, total_slices=1517611, decompressed_slices=383001, duration.command.search.index=8422, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56198, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11744052, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:46:26.848, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124300_37725', total_run_time=12.66, event_count=0, result_count=0, available_count=0, scan_count=21733741, drop_count=0, exec_time=1655124349, api_et=1655109900.000000000, api_lt=1655124300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109900.000000000, search_lt=1655124300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2394", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21733741, total_slices=1512551, decompressed_slices=383224, duration.command.search.index=7669, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57761, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11761168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:45:26.662, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124240_37702', total_run_time=12.81, event_count=0, result_count=0, available_count=0, scan_count=21737632, drop_count=0, exec_time=1655124289, api_et=1655109840.000000000, api_lt=1655124240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109840.000000000, search_lt=1655124240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2264", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21737632, total_slices=1510776, decompressed_slices=383270, duration.command.search.index=7634, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56456, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11765526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:44:28.964, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124180_37681', total_run_time=14.22, event_count=0, result_count=0, available_count=0, scan_count=21740990, drop_count=0, exec_time=1655124229, api_et=1655109780.000000000, api_lt=1655124180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109780.000000000, search_lt=1655124180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3162", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21740990, total_slices=1509106, decompressed_slices=383359, duration.command.search.index=7546, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58119, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11769350, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:44:28.819, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655124180_37678', total_run_time=21.50, event_count=0, result_count=0, available_count=0, scan_count=3475, drop_count=0, exec_time=1655124218, api_et=1655120580.000000000, api_lt=1655124180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655120580.000000000, search_lt=1655124220.180264000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4cabf44e4ed64ffe", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3475, total_slices=888140, decompressed_slices=1049, duration.command.search.index=1143, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4916, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:43:14.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124120_37653', total_run_time=13.16, event_count=0, result_count=0, available_count=0, scan_count=21747708, drop_count=0, exec_time=1655124170, api_et=1655109720.000000000, api_lt=1655124120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109720.000000000, search_lt=1655124120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2535", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21747708, total_slices=1507278, decompressed_slices=383504, duration.command.search.index=7588, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58976, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11773475, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:43:14.018, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124060_37630', total_run_time=13.39, event_count=0, result_count=0, available_count=0, scan_count=21751462, drop_count=0, exec_time=1655124110, api_et=1655109660.000000000, api_lt=1655124060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109660.000000000, search_lt=1655124060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21751462, total_slices=1505648, decompressed_slices=383649, duration.command.search.index=7876, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58298, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11779139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:41:26.919, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655124000_37604', total_run_time=21.56, event_count=0, result_count=0, available_count=0, scan_count=21751976, drop_count=0, exec_time=1655124049, api_et=1655109600.000000000, api_lt=1655124000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109600.000000000, search_lt=1655124000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21751976, total_slices=1503817, decompressed_slices=383707, duration.command.search.index=8122, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64650, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11782356, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:40:17.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123880_37566', total_run_time=15.66, event_count=0, result_count=0, available_count=0, scan_count=21764403, drop_count=0, exec_time=1655123929, api_et=1655109480.000000000, api_lt=1655123880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109480.000000000, search_lt=1655123880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=21764403, total_slices=1500360, decompressed_slices=383744, duration.command.search.index=8360, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55300, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11793421, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:40:16.462, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123940_37583', total_run_time=17.88, event_count=0, result_count=0, available_count=0, scan_count=21757124, drop_count=0, exec_time=1655123989, api_et=1655109540.000000000, api_lt=1655123940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109540.000000000, search_lt=1655123940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2285", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=21757124, total_slices=1502129, decompressed_slices=383732, duration.command.search.index=7872, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58317, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11788528, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:40:16.356, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123760_37537', total_run_time=19.00, event_count=0, result_count=0, available_count=0, scan_count=21779374, drop_count=0, exec_time=1655123810, api_et=1655109360.000000000, api_lt=1655123760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109360.000000000, search_lt=1655123760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21779374, total_slices=1496959, decompressed_slices=384002, duration.command.search.index=8053, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56781, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11807307, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:40:15.882, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123820_37552', total_run_time=18.58, event_count=0, result_count=0, available_count=0, scan_count=21772942, drop_count=0, exec_time=1655123870, api_et=1655109420.000000000, api_lt=1655123820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109420.000000000, search_lt=1655123820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=21772942, total_slices=1498230, decompressed_slices=383849, duration.command.search.index=8182, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59440, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11800081, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:36:06.427, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123700_37527', total_run_time=15.48, event_count=0, result_count=0, available_count=0, scan_count=21785150, drop_count=0, exec_time=1655123750, api_et=1655109300.000000000, api_lt=1655123700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109300.000000000, search_lt=1655123700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2216", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21785150, total_slices=1494857, decompressed_slices=384214, duration.command.search.index=7945, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56734, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11814278, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:35:07.087, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123640_37506', total_run_time=14.52, event_count=0, result_count=0, available_count=0, scan_count=21794927, drop_count=0, exec_time=1655123690, api_et=1655109240.000000000, api_lt=1655123640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109240.000000000, search_lt=1655123640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21794927, total_slices=1493511, decompressed_slices=384206, duration.command.search.index=8312, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57006, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11821842, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:34:37.042, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123580_37470', total_run_time=17.76, event_count=0, result_count=0, available_count=0, scan_count=21803099, drop_count=0, exec_time=1655123630, api_et=1655109180.000000000, api_lt=1655123580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109180.000000000, search_lt=1655123580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21803099, total_slices=1518549, decompressed_slices=384297, duration.command.search.index=9613, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68541, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11829549, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:34:36.726, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655123580_37456', total_run_time=44.01, event_count=0, result_count=0, available_count=0, scan_count=39818570, drop_count=0, exec_time=1655123605, api_et=1655119980.000000000, api_lt=1655123580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655119980.000000000, search_lt=1655123607.376719000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d4fa9be8a19140da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1815, eliminated_buckets=134, considered_events=39818570, total_slices=13654347, decompressed_slices=3952011, duration.command.search.index=14927, invocations.command.search.index.bucketcache.hit=1810, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229566, invocations.command.search.rawdata.bucketcache.hit=262, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:33:25.090, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123460_37404', total_run_time=17.20, event_count=0, result_count=0, available_count=0, scan_count=21817008, drop_count=0, exec_time=1655123510, api_et=1655109060.000000000, api_lt=1655123460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109060.000000000, search_lt=1655123460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21817008, total_slices=1515096, decompressed_slices=384458, duration.command.search.index=9780, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72108, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11841103, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:33:24.136, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123520_37434', total_run_time=20.00, event_count=0, result_count=0, available_count=0, scan_count=21812374, drop_count=0, exec_time=1655123569, api_et=1655109120.000000000, api_lt=1655123520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109120.000000000, search_lt=1655123520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3203", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21812374, total_slices=1516736, decompressed_slices=384445, duration.command.search.index=9943, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73496, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11835523, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:31:06.737, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123400_37376', total_run_time=16.17, event_count=0, result_count=0, available_count=0, scan_count=21819450, drop_count=0, exec_time=1655123449, api_et=1655109000.000000000, api_lt=1655123400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109000.000000000, search_lt=1655123400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21819450, total_slices=1540209, decompressed_slices=384518, duration.command.search.index=9209, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65362, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11845788, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:30:06.471, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123340_37347', total_run_time=13.15, event_count=0, result_count=0, available_count=0, scan_count=21826587, drop_count=0, exec_time=1655123389, api_et=1655108940.000000000, api_lt=1655123340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108940.000000000, search_lt=1655123340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21826587, total_slices=1538318, decompressed_slices=384606, duration.command.search.index=7936, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54880, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11851917, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:29:25.861, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123280_37334', total_run_time=12.76, event_count=0, result_count=0, available_count=0, scan_count=21833410, drop_count=0, exec_time=1655123329, api_et=1655108880.000000000, api_lt=1655123280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108880.000000000, search_lt=1655123280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2846", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21833410, total_slices=1536704, decompressed_slices=384695, duration.command.search.index=7966, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54729, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11858436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:29:24.099, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123220_37320', total_run_time=12.85, event_count=0, result_count=0, available_count=0, scan_count=21838923, drop_count=0, exec_time=1655123269, api_et=1655108820.000000000, api_lt=1655123220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108820.000000000, search_lt=1655123220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2590", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21838923, total_slices=1561706, decompressed_slices=384771, duration.command.search.index=7863, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59165, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11861983, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:27:17.698, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123160_37301', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=21842594, drop_count=0, exec_time=1655123210, api_et=1655108760.000000000, api_lt=1655123160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108760.000000000, search_lt=1655123160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21842594, total_slices=1560045, decompressed_slices=384735, duration.command.search.index=7713, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58043, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11866776, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:26:17.906, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123100_37285', total_run_time=14.41, event_count=0, result_count=0, available_count=0, scan_count=21846747, drop_count=0, exec_time=1655123150, api_et=1655108700.000000000, api_lt=1655123100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108700.000000000, search_lt=1655123100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3419", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21846747, total_slices=1558279, decompressed_slices=384754, duration.command.search.index=7707, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58730, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11870518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:25:18.064, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655123040_37271', total_run_time=16.11, event_count=0, result_count=0, available_count=0, scan_count=21850794, drop_count=0, exec_time=1655123090, api_et=1655108640.000000000, api_lt=1655123040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108640.000000000, search_lt=1655123040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21850794, total_slices=1556594, decompressed_slices=384749, duration.command.search.index=9294, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61878, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11872981, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:24:17.791, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122980_37252', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=21852919, drop_count=0, exec_time=1655123029, api_et=1655108580.000000000, api_lt=1655122980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108580.000000000, search_lt=1655122980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21852919, total_slices=1554551, decompressed_slices=384691, duration.command.search.index=8262, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57272, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11875901, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:23:18.033, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122920_37220', total_run_time=14.82, event_count=0, result_count=0, available_count=0, scan_count=21853008, drop_count=0, exec_time=1655122969, api_et=1655108520.000000000, api_lt=1655122920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108520.000000000, search_lt=1655122920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21853008, total_slices=1553050, decompressed_slices=384699, duration.command.search.index=8171, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60811, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11875990, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:22:17.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122860_37204', total_run_time=16.23, event_count=0, result_count=0, available_count=0, scan_count=21854233, drop_count=0, exec_time=1655122909, api_et=1655108460.000000000, api_lt=1655122860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108460.000000000, search_lt=1655122860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21854233, total_slices=1551307, decompressed_slices=384682, duration.command.search.index=8950, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63437, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11878292, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:21:35.707, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122800_37176', total_run_time=14.65, event_count=0, result_count=0, available_count=0, scan_count=21858698, drop_count=0, exec_time=1655122849, api_et=1655108400.000000000, api_lt=1655122800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108400.000000000, search_lt=1655122800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21858698, total_slices=1549670, decompressed_slices=384886, duration.command.search.index=8554, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54993, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11881198, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:21:34.646, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122680_37127', total_run_time=18.64, event_count=0, result_count=0, available_count=0, scan_count=21868169, drop_count=0, exec_time=1655122730, api_et=1655108280.000000000, api_lt=1655122680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108280.000000000, search_lt=1655122680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21868169, total_slices=1546239, decompressed_slices=385051, duration.command.search.index=8912, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64005, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11884817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:21:34.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122740_37152', total_run_time=23.27, event_count=0, result_count=0, available_count=0, scan_count=21864539, drop_count=0, exec_time=1655122789, api_et=1655108340.000000000, api_lt=1655122740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108340.000000000, search_lt=1655122740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21864539, total_slices=1547922, decompressed_slices=385004, duration.command.search.index=8341, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60924, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11882918, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:21:34.190, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122620_37106', total_run_time=21.70, event_count=0, result_count=0, available_count=0, scan_count=21872178, drop_count=0, exec_time=1655122669, api_et=1655108220.000000000, api_lt=1655122620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108220.000000000, search_lt=1655122620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21872178, total_slices=1544564, decompressed_slices=385142, duration.command.search.index=8767, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63468, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886479, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:17:16.638, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122560_37083', total_run_time=20.20, event_count=0, result_count=0, available_count=0, scan_count=21870132, drop_count=0, exec_time=1655122609, api_et=1655108160.000000000, api_lt=1655122560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108160.000000000, search_lt=1655122560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21870132, total_slices=1542878, decompressed_slices=385167, duration.command.search.index=8334, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65895, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886390, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:16:46.790, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655122560_37077', total_run_time=11.06, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655122571, api_et=1655118360.000000000, api_lt=1655121960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655118960.000000000, search_lt=1655122573.603757000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e43ca4ef42636627", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1008, eliminated_buckets=335, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=723, invocations.command.search.index.bucketcache.hit=1008, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:16:16.560, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122500_37066', total_run_time=19.33, event_count=0, result_count=0, available_count=0, scan_count=21868775, drop_count=0, exec_time=1655122549, api_et=1655108100.000000000, api_lt=1655122500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108100.000000000, search_lt=1655122500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21868775, total_slices=1541191, decompressed_slices=385181, duration.command.search.index=8724, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68360, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886090, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:15:16.727, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122440_37047', total_run_time=18.85, event_count=0, result_count=0, available_count=0, scan_count=21870998, drop_count=0, exec_time=1655122490, api_et=1655108040.000000000, api_lt=1655122440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108040.000000000, search_lt=1655122440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21870998, total_slices=1539472, decompressed_slices=385141, duration.command.search.index=8481, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69339, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11887535, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:14:46.799, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655122440_37034', total_run_time=5.65, event_count=0, result_count=0, available_count=0, scan_count=12998, drop_count=0, exec_time=1655122463, api_et=1655118840.000000000, api_lt=1655122440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655118840.000000000, search_lt=1655122465.708215000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=282, considered_events=13262, total_slices=397604, decompressed_slices=2906, duration.command.search.index=1055, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5948, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=43, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=124, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=268, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=64, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=169, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 12:14:16.780, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122380_37024', total_run_time=18.09, event_count=0, result_count=0, available_count=0, scan_count=21871288, drop_count=0, exec_time=1655122429, api_et=1655107980.000000000, api_lt=1655122380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107980.000000000, search_lt=1655122380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21871288, total_slices=1537734, decompressed_slices=385107, duration.command.search.index=8915, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65783, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11888200, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:13:16.549, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122320_36996', total_run_time=15.35, event_count=0, result_count=0, available_count=0, scan_count=21871127, drop_count=0, exec_time=1655122369, api_et=1655107920.000000000, api_lt=1655122320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107920.000000000, search_lt=1655122320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21871127, total_slices=1535979, decompressed_slices=385224, duration.command.search.index=7996, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58338, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11888367, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:12:16.648, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122260_36978', total_run_time=15.60, event_count=0, result_count=0, available_count=0, scan_count=21872222, drop_count=0, exec_time=1655122310, api_et=1655107860.000000000, api_lt=1655122260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107860.000000000, search_lt=1655122260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3377", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21872222, total_slices=1534391, decompressed_slices=385295, duration.command.search.index=7882, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61173, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11889625, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:11:16.872, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122200_36953', total_run_time=13.53, event_count=0, result_count=0, available_count=0, scan_count=21871032, drop_count=0, exec_time=1655122249, api_et=1655107800.000000000, api_lt=1655122200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107800.000000000, search_lt=1655122200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21871032, total_slices=1532710, decompressed_slices=385293, duration.command.search.index=8087, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57804, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11889358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:11:16.765, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655122260_36960', total_run_time=4.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655122264, api_et=1655118660.000000000, api_lt=1655122260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655118660.000000000, search_lt=1655122266.327384000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2209", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ee7543207e955a7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=69, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:10:06.195, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122140_36931', total_run_time=14.65, event_count=0, result_count=0, available_count=0, scan_count=21871946, drop_count=0, exec_time=1655122189, api_et=1655107740.000000000, api_lt=1655122140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107740.000000000, search_lt=1655122140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21871946, total_slices=1531004, decompressed_slices=385377, duration.command.search.index=7686, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58955, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11888798, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:09:45.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122080_36915', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=21872286, drop_count=0, exec_time=1655122129, api_et=1655107680.000000000, api_lt=1655122080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107680.000000000, search_lt=1655122080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21872286, total_slices=1529279, decompressed_slices=385466, duration.command.search.index=7667, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58290, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:09:45.109, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655122020_36901', total_run_time=16.22, event_count=1075, result_count=55, available_count=0, scan_count=312514, drop_count=0, exec_time=1655122080, api_et=1655118420.000000000, api_lt=1655122020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655118420.000000000, search_lt=1655122082.092217000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=205, considered_events=318493, total_slices=543147, decompressed_slices=81348, duration.command.search.index=2863, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23681, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=256352, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 12:09:44.953, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655122140_36923', total_run_time=17.71, event_count=0, result_count=0, available_count=0, scan_count=3847139, drop_count=0, exec_time=1655122145, api_et=1655117940.000000000, api_lt=1655121540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655117940.000000000, search_lt=1655121540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3199", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ed637a6fd1a9ea1b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=791, eliminated_buckets=366, considered_events=3847139, total_slices=995603, decompressed_slices=177926, duration.command.search.index=1593, invocations.command.search.index.bucketcache.hit=790, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28447, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=158, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:09:44.874, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655122020_36898', total_run_time=13.28, event_count=0, result_count=0, available_count=0, scan_count=21873741, drop_count=0, exec_time=1655122069, api_et=1655107620.000000000, api_lt=1655122020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107620.000000000, search_lt=1655122020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21873741, total_slices=1527529, decompressed_slices=385545, duration.command.search.index=7859, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54728, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:09:44.662, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655122020_36893', total_run_time=4.48, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655122046, api_et=1655118420.000000000, api_lt=1655122020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655118420.000000000, search_lt=1655122048.534314000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2924", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cd919f3ecf06c4a9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=205, considered_events=1, total_slices=12624, decompressed_slices=1, duration.command.search.index=621, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 12:07:23.065, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1655121600_36847', total_run_time=131.22, event_count=2696, result_count=2695, available_count=0, scan_count=1757609, drop_count=0, exec_time=1655121890, api_et=1655035200.000000000, api_lt=1655121600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1655121600.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_efddcd3759d96657", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30404, eliminated_buckets=4808, considered_events=1757609, total_slices=14053563, decompressed_slices=1089847, duration.command.search.index=1093660, invocations.command.search.index.bucketcache.hit=26067, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=4389, duration.command.search.index.bucketcache.miss=551972, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214277, invocations.command.search.rawdata.bucketcache.hit=18960, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=2225, duration.command.search.rawdata.bucketcache.miss=377939, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-13-2022 12:07:22.966, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121960_36878', total_run_time=15.60, event_count=0, result_count=0, available_count=0, scan_count=21874673, drop_count=0, exec_time=1655122010, api_et=1655107560.000000000, api_lt=1655121960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107560.000000000, search_lt=1655121960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21874673, total_slices=1525867, decompressed_slices=385584, duration.command.search.index=8314, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59951, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886359, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:06:22.805, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121900_36864', total_run_time=15.76, event_count=0, result_count=0, available_count=0, scan_count=21873095, drop_count=0, exec_time=1655121950, api_et=1655107500.000000000, api_lt=1655121900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107500.000000000, search_lt=1655121900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3201", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21873095, total_slices=1524306, decompressed_slices=385621, duration.command.search.index=8350, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61500, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11886790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:05:10.109, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121840_36846', total_run_time=15.02, event_count=0, result_count=0, available_count=0, scan_count=21874512, drop_count=0, exec_time=1655121889, api_et=1655107440.000000000, api_lt=1655121840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107440.000000000, search_lt=1655121840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2874", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21874512, total_slices=1522524, decompressed_slices=385628, duration.command.search.index=8565, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62106, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11887000, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:05:09.929, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121720_36757', total_run_time=17.68, event_count=0, result_count=0, available_count=0, scan_count=21882102, drop_count=0, exec_time=1655121769, api_et=1655107320.000000000, api_lt=1655121720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107320.000000000, search_lt=1655121720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21882102, total_slices=1519088, decompressed_slices=385827, duration.command.search.index=8730, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67727, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11891434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:05:09.881, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121660_36726', total_run_time=18.17, event_count=0, result_count=0, available_count=0, scan_count=21884937, drop_count=0, exec_time=1655121710, api_et=1655107260.000000000, api_lt=1655121660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107260.000000000, search_lt=1655121660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=21884937, total_slices=1517367, decompressed_slices=385861, duration.command.search.index=9389, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75118, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11892681, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:05:08.778, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121780_36803', total_run_time=16.57, event_count=0, result_count=0, available_count=0, scan_count=21879626, drop_count=0, exec_time=1655121829, api_et=1655107380.000000000, api_lt=1655121780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107380.000000000, search_lt=1655121780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21879626, total_slices=1520752, decompressed_slices=385745, duration.command.search.index=9381, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69761, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11889942, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 12:01:36.559, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1655121600_36690', total_run_time=62.99, event_count=0, result_count=103, available_count=0, scan_count=0, drop_count=0, exec_time=1655121632, api_et=1655119800.000000000, api_lt=1655121600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655119800.000000000, search_lt=1655121600.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63733", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-13-2022 12:01:06.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655121600_36694', total_run_time=16.67, event_count=0, result_count=0, available_count=0, scan_count=21891232, drop_count=0, exec_time=1655121649, api_et=1655107200.000000000, api_lt=1655121600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107200.000000000, search_lt=1655121600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=21891232, total_slices=1515712, decompressed_slices=386002, duration.command.search.index=9448, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72388, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11895483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 11:44:15.159, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655120580_36404', total_run_time=21.05, event_count=0, result_count=0, available_count=0, scan_count=3143, drop_count=0, exec_time=1655120618, api_et=1655116980.000000000, api_lt=1655120580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655116980.000000000, search_lt=1655120620.695970000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e83af3a2478ca056", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3143, total_slices=1050101, decompressed_slices=839, duration.command.search.index=1112, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4898, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:39:15.316, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655119980_36197', total_run_time=349.18, event_count=0, result_count=0, available_count=0, scan_count=39506255, drop_count=0, exec_time=1655120005, api_et=1655116380.000000000, api_lt=1655119980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655116380.000000000, search_lt=1655120007.420212000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3771", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0512e2901bcca6fb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1808, eliminated_buckets=134, considered_events=39506255, total_slices=13671596, decompressed_slices=3929193, duration.command.search.index=13955, invocations.command.search.index.bucketcache.hit=1805, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226289, invocations.command.search.rawdata.bucketcache.hit=264, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:16:30.192, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655118960_35857', total_run_time=8.21, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655118970, api_et=1655114760.000000000, api_lt=1655118360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655115360.000000000, search_lt=1655118971.889425000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4438773a6dfaf4bd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1012, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=640, invocations.command.search.index.bucketcache.hit=1011, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:15:00.193, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655118840_35816', total_run_time=6.77, event_count=0, result_count=0, available_count=0, scan_count=14454, drop_count=0, exec_time=1655118863, api_et=1655115240.000000000, api_lt=1655118840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655115240.000000000, search_lt=1655118865.369703000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=286, considered_events=14728, total_slices=421644, decompressed_slices=2838, duration.command.search.index=1043, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5954, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=25, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=78, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=203, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=109, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=12, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 11:11:18.189, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655118660_35750', total_run_time=4.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655118664, api_et=1655115060.000000000, api_lt=1655118660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655115060.000000000, search_lt=1655118665.873078000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_25654f3d0b898a25", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=69, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:09:48.026, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655118540_35717', total_run_time=24.34, event_count=0, result_count=0, available_count=0, scan_count=3715156, drop_count=0, exec_time=1655118545, api_et=1655114340.000000000, api_lt=1655117940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655114340.000000000, search_lt=1655117940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3135", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1b72146e76876176", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=786, eliminated_buckets=360, considered_events=3715156, total_slices=949032, decompressed_slices=178347, duration.command.search.index=1683, invocations.command.search.index.bucketcache.hit=784, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30835, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:08:28.421, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655118420_35693', total_run_time=5.36, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655118446, api_et=1655114820.000000000, api_lt=1655118420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655114820.000000000, search_lt=1655118448.675664000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_129ec548193268f0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=207, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=681, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 11:08:26.089, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655118420_35698', total_run_time=16.81, event_count=1093, result_count=55, available_count=0, scan_count=325066, drop_count=0, exec_time=1655118480, api_et=1655114820.000000000, api_lt=1655118420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655114820.000000000, search_lt=1655118482.520424000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3002", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=208, considered_events=330559, total_slices=516001, decompressed_slices=80391, duration.command.search.index=3061, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24284, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=266784, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28762, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 10:45:32.690, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655116980_35225', total_run_time=20.91, event_count=0, result_count=0, available_count=0, scan_count=3731, drop_count=0, exec_time=1655117018, api_et=1655113380.000000000, api_lt=1655116980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655113380.000000000, search_lt=1655117019.958026000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2810", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b6943eb6d778498f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=3731, total_slices=1016030, decompressed_slices=1216, duration.command.search.index=1059, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4891, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 10:41:16.782, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655116380_35017', total_run_time=399.44, event_count=0, result_count=0, available_count=0, scan_count=39225769, drop_count=0, exec_time=1655116406, api_et=1655112780.000000000, api_lt=1655116380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655112780.000000000, search_lt=1655116408.215717000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3739", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb8883eff0a3002b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1814, eliminated_buckets=134, considered_events=39225769, total_slices=13796812, decompressed_slices=3868611, duration.command.search.index=13538, invocations.command.search.index.bucketcache.hit=1815, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=220579, invocations.command.search.rawdata.bucketcache.hit=267, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 10:16:44.554, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655115360_34668', total_run_time=8.43, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655115371, api_et=1655111160.000000000, api_lt=1655114760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655111760.000000000, search_lt=1655115373.254785000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3353", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1309808f25f85c54", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1017, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=812, invocations.command.search.index.bucketcache.hit=1017, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 10:14:44.744, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655115240_34628', total_run_time=5.15, event_count=0, result_count=0, available_count=0, scan_count=13074, drop_count=0, exec_time=1655115263, api_et=1655111640.000000000, api_lt=1655115240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655111640.000000000, search_lt=1655115264.957042000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=282, considered_events=13091, total_slices=464770, decompressed_slices=2518, duration.command.search.index=1086, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5810, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=82, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=247, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=178, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 10:11:14.563, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655115060_34561', total_run_time=5.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655115064, api_et=1655111460.000000000, api_lt=1655115060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655111460.000000000, search_lt=1655115066.215883000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aff674c10272762a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=71, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 10:09:44.458, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655114940_34529', total_run_time=16.98, event_count=0, result_count=0, available_count=0, scan_count=3741234, drop_count=0, exec_time=1655114945, api_et=1655110740.000000000, api_lt=1655114340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655110740.000000000, search_lt=1655114340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3030", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_90f7840483884bb8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=781, eliminated_buckets=357, considered_events=3741234, total_slices=956887, decompressed_slices=178591, duration.command.search.index=1873, invocations.command.search.index.bucketcache.hit=781, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29332, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=246, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 10:08:44.409, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655114820_34515', total_run_time=15.60, event_count=1122, result_count=54, available_count=0, scan_count=338231, drop_count=0, exec_time=1655114884, api_et=1655111220.000000000, api_lt=1655114820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655111220.000000000, search_lt=1655114886.080680000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=208, considered_events=344704, total_slices=449249, decompressed_slices=83180, duration.command.search.index=2998, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24591, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=274493, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 10:07:44.444, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655114820_34505', total_run_time=5.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655114846, api_et=1655111220.000000000, api_lt=1655114820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655111220.000000000, search_lt=1655114848.208407000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2eaa6fb90cc4bb0f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=207, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=682, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:44:02.193, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655113380_34035', total_run_time=21.15, event_count=0, result_count=0, available_count=0, scan_count=3992, drop_count=0, exec_time=1655113418, api_et=1655109780.000000000, api_lt=1655113380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109780.000000000, search_lt=1655113419.938065000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6de8a8158d14bb2d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3992, total_slices=995183, decompressed_slices=1178, duration.command.search.index=1057, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4924, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:42:26.696, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655112780_33828', total_run_time=266.11, event_count=0, result_count=0, available_count=0, scan_count=39255827, drop_count=0, exec_time=1655112805, api_et=1655109180.000000000, api_lt=1655112780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655109180.000000000, search_lt=1655112807.492917000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3795d799b7f2b7ce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1835, eliminated_buckets=134, considered_events=39255827, total_slices=14017488, decompressed_slices=3928796, duration.command.search.index=13877, invocations.command.search.index.bucketcache.hit=1825, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=220369, invocations.command.search.rawdata.bucketcache.hit=263, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:16:27.386, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655111760_33483', total_run_time=6.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655111771, api_et=1655107560.000000000, api_lt=1655111160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108160.000000000, search_lt=1655111773.067721000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3182", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b4bbe26e9bf43a9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=673, invocations.command.search.index.bucketcache.hit=1012, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:14:57.852, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655111640_33443', total_run_time=4.21, event_count=0, result_count=0, available_count=0, scan_count=16876, drop_count=0, exec_time=1655111663, api_et=1655108040.000000000, api_lt=1655111640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655108040.000000000, search_lt=1655111664.916670000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=286, considered_events=16994, total_slices=608164, decompressed_slices=2742, duration.command.search.index=1178, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5614, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=114, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=305, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=74, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=11, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=83, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 09:11:52.536, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655111460_33375', total_run_time=4.76, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655111465, api_et=1655107860.000000000, api_lt=1655111460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107860.000000000, search_lt=1655111466.873263000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2925", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a1f202ae3c7c31ec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=62, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:09:57.577, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655111340_33341', total_run_time=22.45, event_count=0, result_count=0, available_count=0, scan_count=3956926, drop_count=0, exec_time=1655111345, api_et=1655107140.000000000, api_lt=1655110740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107140.000000000, search_lt=1655110740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3073", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72f84ee3147e67b8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=791, eliminated_buckets=360, considered_events=3956926, total_slices=1059117, decompressed_slices=185830, duration.command.search.index=1653, invocations.command.search.index.bucketcache.hit=788, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29898, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=285, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:08:27.034, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655111220_33322', total_run_time=14.99, event_count=1125, result_count=54, available_count=0, scan_count=341626, drop_count=0, exec_time=1655111280, api_et=1655107620.000000000, api_lt=1655111220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107620.000000000, search_lt=1655111282.651550000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2940", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=209, considered_events=345953, total_slices=527224, decompressed_slices=83371, duration.command.search.index=2959, invocations.command.search.index.bucketcache.hit=426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25296, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=277929, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29828, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 09:07:56.510, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655111220_33317', total_run_time=5.07, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655111246, api_et=1655107620.000000000, api_lt=1655111220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655107620.000000000, search_lt=1655111248.672010000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_46fe70eca758de46", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=208, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=767, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 09:00:24.209, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110740_33124', total_run_time=15.58, event_count=0, result_count=0, available_count=0, scan_count=21438770, drop_count=0, exec_time=1655110790, api_et=1655096340.000000000, api_lt=1655110740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096340.000000000, search_lt=1655110740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2566", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=21438770, total_slices=1314535, decompressed_slices=386809, duration.command.search.index=7694, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59198, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11675315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:59:24.236, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110680_33111', total_run_time=12.66, event_count=0, result_count=0, available_count=0, scan_count=21427575, drop_count=0, exec_time=1655110729, api_et=1655096280.000000000, api_lt=1655110680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096280.000000000, search_lt=1655110680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=21427575, total_slices=1312638, decompressed_slices=386872, duration.command.search.index=7610, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54802, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11668620, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:58:24.436, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110620_33094', total_run_time=14.05, event_count=0, result_count=0, available_count=0, scan_count=21452080, drop_count=0, exec_time=1655110669, api_et=1655096220.000000000, api_lt=1655110620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096220.000000000, search_lt=1655110620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=21452080, total_slices=1310818, decompressed_slices=387069, duration.command.search.index=8324, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57261, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11662890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:57:24.706, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110560_33076', total_run_time=12.80, event_count=0, result_count=0, available_count=0, scan_count=21446139, drop_count=0, exec_time=1655110609, api_et=1655096160.000000000, api_lt=1655110560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096160.000000000, search_lt=1655110560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2473", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21446139, total_slices=1308840, decompressed_slices=387002, duration.command.search.index=7820, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57646, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11657290, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:56:24.350, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110500_33065', total_run_time=13.90, event_count=0, result_count=0, available_count=0, scan_count=21434656, drop_count=0, exec_time=1655110549, api_et=1655096100.000000000, api_lt=1655110500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096100.000000000, search_lt=1655110500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3229", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21434656, total_slices=1307280, decompressed_slices=386944, duration.command.search.index=7603, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55705, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11649784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:55:35.026, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110440_33049', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=21425295, drop_count=0, exec_time=1655110490, api_et=1655096040.000000000, api_lt=1655110440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096040.000000000, search_lt=1655110440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21425295, total_slices=1305438, decompressed_slices=386806, duration.command.search.index=7781, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55918, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11644544, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:54:24.291, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110380_33032', total_run_time=12.27, event_count=0, result_count=0, available_count=0, scan_count=21415107, drop_count=0, exec_time=1655110430, api_et=1655095980.000000000, api_lt=1655110380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095980.000000000, search_lt=1655110380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21415107, total_slices=1303493, decompressed_slices=386684, duration.command.search.index=7618, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54929, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11640788, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:53:24.718, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110320_33007', total_run_time=15.52, event_count=0, result_count=0, available_count=0, scan_count=21406628, drop_count=0, exec_time=1655110369, api_et=1655095920.000000000, api_lt=1655110320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095920.000000000, search_lt=1655110320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21406628, total_slices=1301639, decompressed_slices=386609, duration.command.search.index=7882, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62664, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11634579, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:52:14.055, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110260_32989', total_run_time=14.51, event_count=0, result_count=0, available_count=0, scan_count=21393157, drop_count=0, exec_time=1655110309, api_et=1655095860.000000000, api_lt=1655110260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095860.000000000, search_lt=1655110260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21393157, total_slices=1299829, decompressed_slices=386449, duration.command.search.index=8549, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58308, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11625973, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:51:52.749, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110140_32943', total_run_time=15.16, event_count=0, result_count=0, available_count=0, scan_count=21372395, drop_count=0, exec_time=1655110190, api_et=1655095740.000000000, api_lt=1655110140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095740.000000000, search_lt=1655110140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2572", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21372395, total_slices=1296061, decompressed_slices=386103, duration.command.search.index=7869, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58180, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11609785, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:51:52.679, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110200_32966', total_run_time=15.37, event_count=0, result_count=0, available_count=0, scan_count=21383238, drop_count=0, exec_time=1655110249, api_et=1655095800.000000000, api_lt=1655110200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095800.000000000, search_lt=1655110200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21383238, total_slices=1297842, decompressed_slices=386270, duration.command.search.index=8345, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61884, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11619007, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:51:52.392, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110080_32920', total_run_time=13.57, event_count=0, result_count=0, available_count=0, scan_count=21357896, drop_count=0, exec_time=1655110129, api_et=1655095680.000000000, api_lt=1655110080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095680.000000000, search_lt=1655110080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21357896, total_slices=1294181, decompressed_slices=386041, duration.command.search.index=7837, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55944, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11600474, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:48:16.633, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655110020_32903', total_run_time=12.81, event_count=0, result_count=0, available_count=0, scan_count=21345622, drop_count=0, exec_time=1655110069, api_et=1655095620.000000000, api_lt=1655110020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095620.000000000, search_lt=1655110020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21345622, total_slices=1292350, decompressed_slices=385966, duration.command.search.index=7680, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57930, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11592773, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:47:16.350, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109960_32881', total_run_time=14.10, event_count=0, result_count=0, available_count=0, scan_count=21330974, drop_count=0, exec_time=1655110009, api_et=1655095560.000000000, api_lt=1655109960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095560.000000000, search_lt=1655109960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2551", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21330974, total_slices=1290593, decompressed_slices=385971, duration.command.search.index=7645, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57498, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11583311, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:46:16.468, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109900_32863', total_run_time=13.67, event_count=0, result_count=0, available_count=0, scan_count=21320731, drop_count=0, exec_time=1655109950, api_et=1655095500.000000000, api_lt=1655109900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095500.000000000, search_lt=1655109900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21320731, total_slices=1288745, decompressed_slices=385768, duration.command.search.index=7715, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56453, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11575466, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:19.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109480_32703', total_run_time=12.74, event_count=0, result_count=0, available_count=0, scan_count=21236818, drop_count=0, exec_time=1655109529, api_et=1655095080.000000000, api_lt=1655109480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095080.000000000, search_lt=1655109480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=21236818, total_slices=1302596, decompressed_slices=384889, duration.command.search.index=7910, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57548, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11518541, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:18.818, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109780_32820', total_run_time=13.89, event_count=0, result_count=0, available_count=0, scan_count=21299494, drop_count=0, exec_time=1655109829, api_et=1655095380.000000000, api_lt=1655109780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095380.000000000, search_lt=1655109780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21299494, total_slices=1285064, decompressed_slices=385628, duration.command.search.index=7758, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57716, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11558917, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:18.789, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109840_32840', total_run_time=14.49, event_count=0, result_count=0, available_count=0, scan_count=21311906, drop_count=0, exec_time=1655109889, api_et=1655095440.000000000, api_lt=1655109840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095440.000000000, search_lt=1655109840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21311906, total_slices=1286806, decompressed_slices=385672, duration.command.search.index=7947, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55167, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11566469, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:18.637, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109600_32742', total_run_time=13.56, event_count=0, result_count=0, available_count=0, scan_count=21261486, drop_count=0, exec_time=1655109649, api_et=1655095200.000000000, api_lt=1655109600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095200.000000000, search_lt=1655109600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=21261486, total_slices=1306273, decompressed_slices=385136, duration.command.search.index=7569, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57443, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11535025, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:18.411, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655109780_32817', total_run_time=20.88, event_count=0, result_count=0, available_count=0, scan_count=3828, drop_count=0, exec_time=1655109818, api_et=1655106180.000000000, api_lt=1655109780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655106180.000000000, search_lt=1655109820.898268000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72c6b00b4842e8f4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3828, total_slices=1133259, decompressed_slices=1155, duration.command.search.index=1101, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4993, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:45:18.177, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109720_32790', total_run_time=12.64, event_count=0, result_count=0, available_count=0, scan_count=21285045, drop_count=0, exec_time=1655109769, api_et=1655095320.000000000, api_lt=1655109720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095320.000000000, search_lt=1655109720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2553", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21285045, total_slices=1283151, decompressed_slices=385463, duration.command.search.index=8095, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55755, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550776, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:17.435, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109540_32720', total_run_time=13.81, event_count=0, result_count=0, available_count=0, scan_count=21249748, drop_count=0, exec_time=1655109589, api_et=1655095140.000000000, api_lt=1655109540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095140.000000000, search_lt=1655109540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=21249748, total_slices=1304490, decompressed_slices=385022, duration.command.search.index=7503, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59535, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11525422, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:45:17.298, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109660_32767', total_run_time=12.82, event_count=0, result_count=0, available_count=0, scan_count=21272659, drop_count=0, exec_time=1655109710, api_et=1655095260.000000000, api_lt=1655109660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095260.000000000, search_lt=1655109660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2581", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21272659, total_slices=1281373, decompressed_slices=385350, duration.command.search.index=8186, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55218, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11543492, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:38:27.455, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109420_32689', total_run_time=13.29, event_count=0, result_count=0, available_count=0, scan_count=21226295, drop_count=0, exec_time=1655109470, api_et=1655095020.000000000, api_lt=1655109420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095020.000000000, search_lt=1655109420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=21226295, total_slices=1300812, decompressed_slices=384806, duration.command.search.index=7627, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57792, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11512256, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:37:18.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109360_32674', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=21215579, drop_count=0, exec_time=1655109410, api_et=1655094960.000000000, api_lt=1655109360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094960.000000000, search_lt=1655109360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21215579, total_slices=1299062, decompressed_slices=384741, duration.command.search.index=7584, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53957, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11507431, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:59.190, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109180_32607', total_run_time=16.27, event_count=0, result_count=0, available_count=0, scan_count=21184664, drop_count=0, exec_time=1655109230, api_et=1655094780.000000000, api_lt=1655109180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094780.000000000, search_lt=1655109180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21184664, total_slices=1293589, decompressed_slices=384500, duration.command.search.index=9538, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61261, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11486923, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:59.173, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655109180_32593', total_run_time=41.57, event_count=0, result_count=0, available_count=0, scan_count=39409136, drop_count=0, exec_time=1655109205, api_et=1655105580.000000000, api_lt=1655109180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655105580.000000000, search_lt=1655109207.658028000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4151", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eda6a586815c24f3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1831, eliminated_buckets=134, considered_events=39409136, total_slices=13882027, decompressed_slices=3908297, duration.command.search.index=13916, invocations.command.search.index.bucketcache.hit=1827, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=225174, invocations.command.search.rawdata.bucketcache.hit=263, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:36:58.791, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109240_32643', total_run_time=13.58, event_count=0, result_count=0, available_count=0, scan_count=21196449, drop_count=0, exec_time=1655109290, api_et=1655094840.000000000, api_lt=1655109240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094840.000000000, search_lt=1655109240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2963", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21196449, total_slices=1295421, decompressed_slices=384474, duration.command.search.index=7964, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55356, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11495398, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:58.339, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109300_32664', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=21206618, drop_count=0, exec_time=1655109350, api_et=1655094900.000000000, api_lt=1655109300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094900.000000000, search_lt=1655109300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=21206618, total_slices=1297185, decompressed_slices=384610, duration.command.search.index=7686, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52804, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11502310, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:57.501, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109000_32513', total_run_time=16.89, event_count=0, result_count=0, available_count=0, scan_count=21157816, drop_count=0, exec_time=1655109050, api_et=1655094600.000000000, api_lt=1655109000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094600.000000000, search_lt=1655109000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21157816, total_slices=1288200, decompressed_slices=384102, duration.command.search.index=8473, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64681, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11474837, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:57.323, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109120_32570', total_run_time=14.02, event_count=0, result_count=0, available_count=0, scan_count=21174461, drop_count=0, exec_time=1655109169, api_et=1655094720.000000000, api_lt=1655109120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094720.000000000, search_lt=1655109120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21174461, total_slices=1291504, decompressed_slices=384371, duration.command.search.index=7982, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59009, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11481480, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:56.795, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655109060_32541', total_run_time=16.79, event_count=0, result_count=0, available_count=0, scan_count=21166684, drop_count=0, exec_time=1655109109, api_et=1655094660.000000000, api_lt=1655109060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094660.000000000, search_lt=1655109060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21166684, total_slices=1289433, decompressed_slices=384172, duration.command.search.index=8713, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61370, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11478480, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:56.657, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108880_32470', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=21147576, drop_count=0, exec_time=1655108929, api_et=1655094480.000000000, api_lt=1655108880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094480.000000000, search_lt=1655108880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2540", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21147576, total_slices=1284529, decompressed_slices=384119, duration.command.search.index=7838, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54427, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11469885, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:36:55.903, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108940_32484', total_run_time=13.06, event_count=0, result_count=0, available_count=0, scan_count=21152095, drop_count=0, exec_time=1655108989, api_et=1655094540.000000000, api_lt=1655108940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094540.000000000, search_lt=1655108940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2313", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21152095, total_slices=1286271, decompressed_slices=384091, duration.command.search.index=7701, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52995, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11472034, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:28:07.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108820_32455', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=21141969, drop_count=0, exec_time=1655108869, api_et=1655094420.000000000, api_lt=1655108820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094420.000000000, search_lt=1655108820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2163", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21141969, total_slices=1282731, decompressed_slices=384093, duration.command.search.index=7745, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57751, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11467519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:27:07.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108760_32437', total_run_time=13.75, event_count=0, result_count=0, available_count=0, scan_count=21131815, drop_count=0, exec_time=1655108809, api_et=1655094360.000000000, api_lt=1655108760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094360.000000000, search_lt=1655108760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21131815, total_slices=1280933, decompressed_slices=384077, duration.command.search.index=7595, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57153, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11462692, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:26:12.228, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108580_32389', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=21111616, drop_count=0, exec_time=1655108629, api_et=1655094180.000000000, api_lt=1655108580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094180.000000000, search_lt=1655108580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21111616, total_slices=1275564, decompressed_slices=384013, duration.command.search.index=7652, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55367, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11450028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:26:11.866, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108700_32421', total_run_time=12.86, event_count=0, result_count=0, available_count=0, scan_count=21125159, drop_count=0, exec_time=1655108749, api_et=1655094300.000000000, api_lt=1655108700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094300.000000000, search_lt=1655108700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3173", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21125159, total_slices=1279159, decompressed_slices=384021, duration.command.search.index=7748, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52494, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11460393, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:26:11.633, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108640_32408', total_run_time=13.48, event_count=0, result_count=0, available_count=0, scan_count=21118276, drop_count=0, exec_time=1655108690, api_et=1655094240.000000000, api_lt=1655108640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094240.000000000, search_lt=1655108640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21118276, total_slices=1277432, decompressed_slices=384040, duration.command.search.index=7546, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55019, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11455075, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:23:09.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108520_32355', total_run_time=14.15, event_count=0, result_count=0, available_count=0, scan_count=21107574, drop_count=0, exec_time=1655108569, api_et=1655094120.000000000, api_lt=1655108520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094120.000000000, search_lt=1655108520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21107574, total_slices=1273795, decompressed_slices=384060, duration.command.search.index=7523, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56725, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11448568, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:22:26.711, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655108400_32312', total_run_time=13.42, event_count=11442583, result_count=15, available_count=0, scan_count=21091680, drop_count=0, exec_time=1655108457, api_et=1655094000.000000000, api_lt=1655108400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094000.000000000, search_lt=1655108400.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2416", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21091680, total_slices=1270511, decompressed_slices=383888, duration.command.search.index=7915, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58448, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11442583, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:22:25.750, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108400_32309', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=21091680, drop_count=0, exec_time=1655108449, api_et=1655094000.000000000, api_lt=1655108400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094000.000000000, search_lt=1655108400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21091680, total_slices=1270328, decompressed_slices=383886, duration.command.search.index=7767, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59277, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11442583, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:22:25.309, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108340_32285', total_run_time=12.25, event_count=0, result_count=0, available_count=0, scan_count=21082999, drop_count=0, exec_time=1655108389, api_et=1655093940.000000000, api_lt=1655108340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093940.000000000, search_lt=1655108340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21082999, total_slices=1268435, decompressed_slices=383894, duration.command.search.index=7619, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54747, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11438232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:22:25.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108280_32259', total_run_time=13.84, event_count=0, result_count=0, available_count=0, scan_count=21075336, drop_count=0, exec_time=1655108329, api_et=1655093880.000000000, api_lt=1655108280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093880.000000000, search_lt=1655108280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21075336, total_slices=1266717, decompressed_slices=383773, duration.command.search.index=8376, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58627, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11434490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:22:24.855, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108460_32339', total_run_time=12.37, event_count=0, result_count=0, available_count=0, scan_count=21100058, drop_count=0, exec_time=1655108509, api_et=1655094060.000000000, api_lt=1655108460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094060.000000000, search_lt=1655108460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21100058, total_slices=1271975, decompressed_slices=383979, duration.command.search.index=7900, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55827, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11445493, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:18:12.767, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108220_32238', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=21067089, drop_count=0, exec_time=1655108269, api_et=1655093820.000000000, api_lt=1655108220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093820.000000000, search_lt=1655108220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=21067089, total_slices=1264870, decompressed_slices=383612, duration.command.search.index=7787, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56572, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11431248, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:17:12.849, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108160_32213', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=21059484, drop_count=0, exec_time=1655108209, api_et=1655093760.000000000, api_lt=1655108160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093760.000000000, search_lt=1655108160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2517", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=21059484, total_slices=1290136, decompressed_slices=383581, duration.command.search.index=7816, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55692, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11427877, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:16:42.909, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655108160_32207', total_run_time=7.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655108171, api_et=1655103960.000000000, api_lt=1655107560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655104560.000000000, search_lt=1655108173.363877000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5fd974199f064ea8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1014, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=686, invocations.command.search.index.bucketcache.hit=1014, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:16:12.827, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108100_32196', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=21052364, drop_count=0, exec_time=1655108149, api_et=1655093700.000000000, api_lt=1655108100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093700.000000000, search_lt=1655108100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2394", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21052364, total_slices=1288366, decompressed_slices=383491, duration.command.search.index=7886, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57703, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11422920, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:15:13.084, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655108040_32177', total_run_time=12.66, event_count=0, result_count=0, available_count=0, scan_count=21044302, drop_count=0, exec_time=1655108089, api_et=1655093640.000000000, api_lt=1655108040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093640.000000000, search_lt=1655108040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2959", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21044302, total_slices=1286546, decompressed_slices=383422, duration.command.search.index=7155, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58142, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11416433, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:14:43.065, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655108040_32164', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=14705, drop_count=0, exec_time=1655108063, api_et=1655104440.000000000, api_lt=1655108040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655104440.000000000, search_lt=1655108065.098307000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=284, considered_events=14775, total_slices=652894, decompressed_slices=2614, duration.command.search.index=973, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5624, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=66, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=187, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 08:14:12.890, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107980_32154', total_run_time=12.64, event_count=0, result_count=0, available_count=0, scan_count=21036770, drop_count=0, exec_time=1655108029, api_et=1655093580.000000000, api_lt=1655107980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093580.000000000, search_lt=1655107980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21036770, total_slices=1284862, decompressed_slices=383432, duration.command.search.index=7472, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58652, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11411479, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:13:12.933, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107920_32126', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=21025177, drop_count=0, exec_time=1655107969, api_et=1655093520.000000000, api_lt=1655107920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093520.000000000, search_lt=1655107920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21025177, total_slices=1283064, decompressed_slices=383373, duration.command.search.index=7574, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59719, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11405198, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:12:12.707, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107860_32108', total_run_time=13.00, event_count=0, result_count=0, available_count=0, scan_count=21014156, drop_count=0, exec_time=1655107910, api_et=1655093460.000000000, api_lt=1655107860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093460.000000000, search_lt=1655107860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2947", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21014156, total_slices=1281331, decompressed_slices=383340, duration.command.search.index=7640, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56566, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11399746, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:11:12.830, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655107860_32089', total_run_time=5.33, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655107864, api_et=1655104260.000000000, api_lt=1655107860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655104260.000000000, search_lt=1655107866.634751000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6b3447e20c69b971", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=63, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:11:12.698, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107800_32082', total_run_time=14.23, event_count=0, result_count=0, available_count=0, scan_count=21007456, drop_count=0, exec_time=1655107849, api_et=1655093400.000000000, api_lt=1655107800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093400.000000000, search_lt=1655107800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=21007456, total_slices=1279518, decompressed_slices=383181, duration.command.search.index=7655, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58825, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395000, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:10:08.942, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107740_32062', total_run_time=13.11, event_count=0, result_count=0, available_count=0, scan_count=20997888, drop_count=0, exec_time=1655107789, api_et=1655093340.000000000, api_lt=1655107740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093340.000000000, search_lt=1655107740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20997888, total_slices=1277759, decompressed_slices=383142, duration.command.search.index=7401, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54725, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11390471, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:10:08.656, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655107620_32032', total_run_time=20.71, event_count=1114, result_count=54, available_count=0, scan_count=357655, drop_count=0, exec_time=1655107680, api_et=1655104020.000000000, api_lt=1655107620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655104020.000000000, search_lt=1655107682.835528000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3148", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=208, considered_events=363871, total_slices=575941, decompressed_slices=88521, duration.command.search.index=2876, invocations.command.search.index.bucketcache.hit=423, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25912, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=290859, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30588, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 08:10:08.380, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107680_32046', total_run_time=12.46, event_count=0, result_count=0, available_count=0, scan_count=20989218, drop_count=0, exec_time=1655107729, api_et=1655093280.000000000, api_lt=1655107680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093280.000000000, search_lt=1655107680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20989218, total_slices=1275977, decompressed_slices=383072, duration.command.search.index=7450, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55315, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11387009, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:10:08.307, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107620_32029', total_run_time=12.39, event_count=0, result_count=0, available_count=0, scan_count=20979307, drop_count=0, exec_time=1655107669, api_et=1655093220.000000000, api_lt=1655107620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093220.000000000, search_lt=1655107620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20979307, total_slices=1274100, decompressed_slices=383052, duration.command.search.index=7672, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54493, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11381629, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:10:08.226, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655107740_32054', total_run_time=23.12, event_count=0, result_count=0, available_count=0, scan_count=3838423, drop_count=0, exec_time=1655107745, api_et=1655103540.000000000, api_lt=1655107140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655103540.000000000, search_lt=1655107140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3119", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bfa2218b8b73c6da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=365, considered_events=3838423, total_slices=1048144, decompressed_slices=177658, duration.command.search.index=1634, invocations.command.search.index.bucketcache.hit=791, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29011, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=338, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:07:59.550, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655107620_32024', total_run_time=5.48, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655107646, api_et=1655104020.000000000, api_lt=1655107620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655104020.000000000, search_lt=1655107648.188048000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f72e9ff2bf86d716", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=208, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=680, invocations.command.search.index.bucketcache.hit=423, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 08:07:29.440, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107560_32007', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=20968038, drop_count=0, exec_time=1655107610, api_et=1655093160.000000000, api_lt=1655107560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093160.000000000, search_lt=1655107560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20968038, total_slices=1272371, decompressed_slices=383099, duration.command.search.index=7407, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58157, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375375, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:06:29.298, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107500_31993', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=20959540, drop_count=0, exec_time=1655107550, api_et=1655093100.000000000, api_lt=1655107500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093100.000000000, search_lt=1655107500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20959540, total_slices=1270567, decompressed_slices=383042, duration.command.search.index=7599, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58333, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11370589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:05:28.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107380_31934', total_run_time=16.09, event_count=0, result_count=0, available_count=0, scan_count=20936137, drop_count=0, exec_time=1655107429, api_et=1655092980.000000000, api_lt=1655107380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655092980.000000000, search_lt=1655107380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20936137, total_slices=1266949, decompressed_slices=382894, duration.command.search.index=9550, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68012, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11355676, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:05:28.324, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107440_31976', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=20949222, drop_count=0, exec_time=1655107489, api_et=1655093040.000000000, api_lt=1655107440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093040.000000000, search_lt=1655107440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20949222, total_slices=1268820, decompressed_slices=383017, duration.command.search.index=7748, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58592, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11364344, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:03:10.999, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107320_31886', total_run_time=15.73, event_count=0, result_count=0, available_count=0, scan_count=20927138, drop_count=0, exec_time=1655107369, api_et=1655092920.000000000, api_lt=1655107320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655092920.000000000, search_lt=1655107320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20927138, total_slices=1265143, decompressed_slices=382807, duration.command.search.index=8867, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67595, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11350397, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:02:11.137, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107260_31855', total_run_time=16.52, event_count=0, result_count=0, available_count=0, scan_count=20918279, drop_count=0, exec_time=1655107309, api_et=1655092860.000000000, api_lt=1655107260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655092860.000000000, search_lt=1655107260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2566", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20918279, total_slices=1263298, decompressed_slices=382756, duration.command.search.index=9546, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65285, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11344787, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 08:01:40.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655107200_31825', total_run_time=23.89, event_count=0, result_count=0, available_count=0, scan_count=20906585, drop_count=0, exec_time=1655107249, api_et=1655092800.000000000, api_lt=1655107200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655092800.000000000, search_lt=1655107200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=20906585, total_slices=1261567, decompressed_slices=382556, duration.command.search.index=9566, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69252, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11337227, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 07:44:10.919, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655106180_31536', total_run_time=21.48, event_count=0, result_count=0, available_count=0, scan_count=3246, drop_count=0, exec_time=1655106218, api_et=1655102580.000000000, api_lt=1655106180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655102580.000000000, search_lt=1655106220.000877000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_22c104e543f15995", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3246, total_slices=1010398, decompressed_slices=892, duration.command.search.index=1115, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4897, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 07:35:43.719, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655105580_31330', total_run_time=36.80, event_count=0, result_count=0, available_count=0, scan_count=39064664, drop_count=0, exec_time=1655105605, api_et=1655101980.000000000, api_lt=1655105580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655101980.000000000, search_lt=1655105607.011335000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3909", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e6c2c14818a44064", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1861, eliminated_buckets=134, considered_events=39064664, total_slices=13978810, decompressed_slices=3857003, duration.command.search.index=13737, invocations.command.search.index.bucketcache.hit=1854, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216376, invocations.command.search.rawdata.bucketcache.hit=265, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 07:16:25.118, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655104560_30988', total_run_time=8.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655104571, api_et=1655100360.000000000, api_lt=1655103960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655100960.000000000, search_lt=1655104572.962179000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3231", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8b86273c9a67b456", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1010, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=665, invocations.command.search.index.bucketcache.hit=1010, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 07:14:55.754, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655104440_30948', total_run_time=5.33, event_count=0, result_count=0, available_count=0, scan_count=12199, drop_count=0, exec_time=1655104463, api_et=1655100840.000000000, api_lt=1655104440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655100840.000000000, search_lt=1655104465.793736000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=293, considered_events=12199, total_slices=704692, decompressed_slices=2649, duration.command.search.index=1081, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5670, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=78, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=218, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=50, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=67, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 07:11:25.058, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655104260_30882', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655104264, api_et=1655100660.000000000, api_lt=1655104260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655100660.000000000, search_lt=1655104266.343557000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3173", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f8cd2424d58d747a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=64, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 07:09:55.312, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655104140_30849', total_run_time=26.34, event_count=0, result_count=0, available_count=0, scan_count=4044493, drop_count=0, exec_time=1655104145, api_et=1655099940.000000000, api_lt=1655103540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655099940.000000000, search_lt=1655103540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3084", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dfd81c13902c77fd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=799, eliminated_buckets=370, considered_events=4044493, total_slices=1056064, decompressed_slices=176707, duration.command.search.index=1656, invocations.command.search.index.bucketcache.hit=798, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29121, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=240, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 07:08:25.109, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655104020_30836', total_run_time=17.26, event_count=1106, result_count=55, available_count=0, scan_count=336918, drop_count=0, exec_time=1655104084, api_et=1655100420.000000000, api_lt=1655104020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655100420.000000000, search_lt=1655104086.385139000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=428, eliminated_buckets=205, considered_events=341941, total_slices=742620, decompressed_slices=118070, duration.command.search.index=3552, invocations.command.search.index.bucketcache.hit=428, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29395, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=275478, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29529, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 07:07:55.127, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655104020_30825', total_run_time=6.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655104046, api_et=1655100420.000000000, api_lt=1655104020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655100420.000000000, search_lt=1655104048.368611000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2910", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3018f62c651269d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=771, invocations.command.search.index.bucketcache.hit=426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:44:30.460, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655102580_30348', total_run_time=20.94, event_count=0, result_count=0, available_count=0, scan_count=4442, drop_count=0, exec_time=1655102618, api_et=1655098980.000000000, api_lt=1655102580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655098980.000000000, search_lt=1655102620.717625000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f1d937b3aee7367a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=4442, total_slices=887132, decompressed_slices=1329, duration.command.search.index=1042, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4787, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:34:11.763, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655101980_30137', total_run_time=37.59, event_count=0, result_count=0, available_count=0, scan_count=39128526, drop_count=0, exec_time=1655102005, api_et=1655098380.000000000, api_lt=1655101980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655098380.000000000, search_lt=1655102007.030110000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_037229fe969aac43", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1876, eliminated_buckets=134, considered_events=39128526, total_slices=14113662, decompressed_slices=3815919, duration.command.search.index=13935, invocations.command.search.index.bucketcache.hit=1871, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215793, invocations.command.search.rawdata.bucketcache.hit=260, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:16:41.838, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655100960_29783', total_run_time=8.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655100970, api_et=1655096760.000000000, api_lt=1655100360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655097360.000000000, search_lt=1655100972.706426000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9e1b93ee2581ce9f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1016, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=685, invocations.command.search.index.bucketcache.hit=1016, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:14:31.055, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655100840_29743', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=9966, drop_count=0, exec_time=1655100863, api_et=1655097240.000000000, api_lt=1655100840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655097240.000000000, search_lt=1655100865.314101000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=284, considered_events=9966, total_slices=697731, decompressed_slices=1849, duration.command.search.index=993, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5615, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=105, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=262, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=12, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=77, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 06:11:11.992, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655100660_29676', total_run_time=4.71, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655100664, api_et=1655097060.000000000, api_lt=1655100660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655097060.000000000, search_lt=1655100666.538313000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2246", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_185639f92ac33273", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:09:41.596, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655100540_29642', total_run_time=16.81, event_count=0, result_count=0, available_count=0, scan_count=3890576, drop_count=0, exec_time=1655100545, api_et=1655096340.000000000, api_lt=1655099940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096340.000000000, search_lt=1655099940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3049", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_686945d30b20e9f8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=370, considered_events=3890576, total_slices=1103000, decompressed_slices=174732, duration.command.search.index=1683, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29823, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=250, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 06:08:41.615, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655100420_29621', total_run_time=16.33, event_count=1101, result_count=63, available_count=0, scan_count=314946, drop_count=0, exec_time=1655100480, api_et=1655096820.000000000, api_lt=1655100420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096820.000000000, search_lt=1655100482.244718000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=318174, total_slices=635098, decompressed_slices=80228, duration.command.search.index=2759, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23503, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=257974, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27863, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 06:07:41.929, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655100420_29616', total_run_time=5.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655100446, api_et=1655096820.000000000, api_lt=1655100420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655096820.000000000, search_lt=1655100448.335098000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_28b774a81fd455a4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=654, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:44:17.491, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655098980_29145', total_run_time=21.29, event_count=0, result_count=0, available_count=0, scan_count=3632, drop_count=0, exec_time=1655099018, api_et=1655095380.000000000, api_lt=1655098980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655095380.000000000, search_lt=1655099020.383712000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7b9bd17d8fbad6a3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=3632, total_slices=783442, decompressed_slices=928, duration.command.search.index=1056, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4691, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:35:31.179, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655098380_28941', total_run_time=36.10, event_count=0, result_count=0, available_count=0, scan_count=39537806, drop_count=0, exec_time=1655098405, api_et=1655094780.000000000, api_lt=1655098380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655094780.000000000, search_lt=1655098407.071774000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3904", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c0ff2ac7d332118", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1857, eliminated_buckets=134, considered_events=39537806, total_slices=13915104, decompressed_slices=3808364, duration.command.search.index=16297, invocations.command.search.index.bucketcache.hit=1853, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215218, invocations.command.search.rawdata.bucketcache.hit=251, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:16:59.347, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655097360_28605', total_run_time=24.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655097370, api_et=1655093160.000000000, api_lt=1655096760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093760.000000000, search_lt=1655097372.091775000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3351", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c07f1d59d03c9d9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1022, eliminated_buckets=344, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1021, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:14:40.422, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655097240_28564', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=16657, drop_count=0, exec_time=1655097263, api_et=1655093640.000000000, api_lt=1655097240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093640.000000000, search_lt=1655097265.269522000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2913", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=284, considered_events=16669, total_slices=800581, decompressed_slices=2823, duration.command.search.index=1182, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7393, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=74, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=207, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=78, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 05:11:29.519, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655097060_28498', total_run_time=6.81, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655097064, api_et=1655093460.000000000, api_lt=1655097060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093460.000000000, search_lt=1655097066.749845000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3254", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cb53d11cf13e56fe", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:09:59.397, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655096940_28468', total_run_time=41.38, event_count=0, result_count=0, available_count=0, scan_count=3853293, drop_count=0, exec_time=1655096946, api_et=1655092740.000000000, api_lt=1655096340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655092740.000000000, search_lt=1655096340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3090", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_47111a2cd46aa5e3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=772, eliminated_buckets=351, considered_events=3853293, total_slices=1059465, decompressed_slices=170153, duration.command.search.index=2619, invocations.command.search.index.bucketcache.hit=771, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55987, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=114, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:08:56.117, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655096820_28449', total_run_time=30.64, event_count=1104, result_count=54, available_count=0, scan_count=322717, drop_count=0, exec_time=1655096880, api_et=1655093220.000000000, api_lt=1655096820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093220.000000000, search_lt=1655096882.759782000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=204, considered_events=330228, total_slices=616539, decompressed_slices=87942, duration.command.search.index=9026, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103031, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=262491, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27968, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 05:07:59.259, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655096820_28443', total_run_time=18.03, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655096846, api_et=1655093220.000000000, api_lt=1655096820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655093220.000000000, search_lt=1655096848.885280000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_49cadbd8c626ccf3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2490, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 05:00:15.422, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096340_28248', total_run_time=12.65, event_count=0, result_count=0, available_count=0, scan_count=19873342, drop_count=0, exec_time=1655096390, api_et=1655081940.000000000, api_lt=1655096340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081940.000000000, search_lt=1655096340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2601", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19873342, total_slices=1164567, decompressed_slices=387758, duration.command.search.index=6828, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57809, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10780156, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:59:15.499, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096280_28235', total_run_time=12.92, event_count=0, result_count=0, available_count=0, scan_count=19869903, drop_count=0, exec_time=1655096330, api_et=1655081880.000000000, api_lt=1655096280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081880.000000000, search_lt=1655096280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3123", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19869903, total_slices=1162855, decompressed_slices=387751, duration.command.search.index=7038, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55940, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10777547, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:58:15.679, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096220_28219', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=19835105, drop_count=0, exec_time=1655096269, api_et=1655081820.000000000, api_lt=1655096220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081820.000000000, search_lt=1655096220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19835105, total_slices=1188041, decompressed_slices=387565, duration.command.search.index=7225, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55025, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10775501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:57:15.627, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096160_28202', total_run_time=12.17, event_count=0, result_count=0, available_count=0, scan_count=19829587, drop_count=0, exec_time=1655096209, api_et=1655081760.000000000, api_lt=1655096160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081760.000000000, search_lt=1655096160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19829587, total_slices=1186225, decompressed_slices=387524, duration.command.search.index=6964, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55458, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10774436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:56:15.490, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096100_28191', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=19824236, drop_count=0, exec_time=1655096149, api_et=1655081700.000000000, api_lt=1655096100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081700.000000000, search_lt=1655096100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19824236, total_slices=1184627, decompressed_slices=387497, duration.command.search.index=7220, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54321, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10770882, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:55:03.258, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095920_28135', total_run_time=13.78, event_count=0, result_count=0, available_count=0, scan_count=19810753, drop_count=0, exec_time=1655095970, api_et=1655081520.000000000, api_lt=1655095920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081520.000000000, search_lt=1655095920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19810753, total_slices=1179454, decompressed_slices=387521, duration.command.search.index=7384, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55486, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10761939, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:55:02.584, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655096040_28176', total_run_time=12.27, event_count=0, result_count=0, available_count=0, scan_count=19819006, drop_count=0, exec_time=1655096090, api_et=1655081640.000000000, api_lt=1655096040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081640.000000000, search_lt=1655096040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19819006, total_slices=1182922, decompressed_slices=387497, duration.command.search.index=7278, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51715, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10767393, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:55:02.090, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095980_28159', total_run_time=12.36, event_count=0, result_count=0, available_count=0, scan_count=19813261, drop_count=0, exec_time=1655096029, api_et=1655081580.000000000, api_lt=1655095980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081580.000000000, search_lt=1655095980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3093", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19813261, total_slices=1181184, decompressed_slices=387439, duration.command.search.index=7170, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52292, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10763726, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:52:29.325, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095860_28118', total_run_time=12.21, event_count=0, result_count=0, available_count=0, scan_count=19804908, drop_count=0, exec_time=1655095909, api_et=1655081460.000000000, api_lt=1655095860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081460.000000000, search_lt=1655095860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19804908, total_slices=1177690, decompressed_slices=387547, duration.command.search.index=7548, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53257, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10759003, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:51:28.946, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095800_28094', total_run_time=11.83, event_count=0, result_count=0, available_count=0, scan_count=19795115, drop_count=0, exec_time=1655095849, api_et=1655081400.000000000, api_lt=1655095800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081400.000000000, search_lt=1655095800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2549", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=19795115, total_slices=1176129, decompressed_slices=387475, duration.command.search.index=7374, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55609, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10753888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:50:28.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095740_28070', total_run_time=12.41, event_count=0, result_count=0, available_count=0, scan_count=19788771, drop_count=0, exec_time=1655095790, api_et=1655081340.000000000, api_lt=1655095740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081340.000000000, search_lt=1655095740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=19788771, total_slices=1174338, decompressed_slices=387434, duration.command.search.index=7461, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52593, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10751735, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:49:28.919, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095680_28049', total_run_time=13.13, event_count=0, result_count=0, available_count=0, scan_count=19782839, drop_count=0, exec_time=1655095729, api_et=1655081280.000000000, api_lt=1655095680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081280.000000000, search_lt=1655095680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2588", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=19782839, total_slices=1172596, decompressed_slices=387417, duration.command.search.index=7328, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55581, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10748237, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:48:29.257, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095620_28032', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=19777848, drop_count=0, exec_time=1655095669, api_et=1655081220.000000000, api_lt=1655095620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081220.000000000, search_lt=1655095620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19777848, total_slices=1170827, decompressed_slices=387364, duration.command.search.index=7463, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53738, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10745961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:47:29.014, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095560_28011', total_run_time=11.89, event_count=0, result_count=0, available_count=0, scan_count=19774962, drop_count=0, exec_time=1655095609, api_et=1655081160.000000000, api_lt=1655095560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081160.000000000, search_lt=1655095560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2526", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19774962, total_slices=1169131, decompressed_slices=387381, duration.command.search.index=7304, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52051, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10742948, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:46:28.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095500_27993', total_run_time=12.70, event_count=0, result_count=0, available_count=0, scan_count=19769203, drop_count=0, exec_time=1655095550, api_et=1655081100.000000000, api_lt=1655095500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081100.000000000, search_lt=1655095500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19769203, total_slices=1167648, decompressed_slices=387324, duration.command.search.index=7038, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56902, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10739770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:45:14.813, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095440_27970', total_run_time=11.72, event_count=0, result_count=0, available_count=0, scan_count=19762778, drop_count=0, exec_time=1655095489, api_et=1655081040.000000000, api_lt=1655095440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081040.000000000, search_lt=1655095440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2140", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19762778, total_slices=1165856, decompressed_slices=387318, duration.command.search.index=7178, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55057, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10738496, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:44:47.528, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095380_27949', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=19760015, drop_count=0, exec_time=1655095429, api_et=1655080980.000000000, api_lt=1655095380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080980.000000000, search_lt=1655095380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3099", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19760015, total_slices=1164153, decompressed_slices=387281, duration.command.search.index=7210, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56872, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10736046, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:44:47.305, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655095380_27946', total_run_time=20.65, event_count=0, result_count=0, available_count=0, scan_count=3648, drop_count=0, exec_time=1655095418, api_et=1655091780.000000000, api_lt=1655095380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655091780.000000000, search_lt=1655095420.367441000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2819", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_16ccac1725705f1b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3648, total_slices=778489, decompressed_slices=1065, duration.command.search.index=1103, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4861, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:43:05.297, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095320_27921', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=19757711, drop_count=0, exec_time=1655095369, api_et=1655080920.000000000, api_lt=1655095320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080920.000000000, search_lt=1655095320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2492", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19757711, total_slices=1162442, decompressed_slices=387310, duration.command.search.index=7416, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54248, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10734010, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:42:05.533, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095260_27898', total_run_time=12.41, event_count=0, result_count=0, available_count=0, scan_count=19753542, drop_count=0, exec_time=1655095309, api_et=1655080860.000000000, api_lt=1655095260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080860.000000000, search_lt=1655095260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19753542, total_slices=1160818, decompressed_slices=387364, duration.command.search.index=7518, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53902, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10730266, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:41:05.688, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095200_27873', total_run_time=12.00, event_count=0, result_count=0, available_count=0, scan_count=19747574, drop_count=0, exec_time=1655095249, api_et=1655080800.000000000, api_lt=1655095200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080800.000000000, search_lt=1655095200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19747574, total_slices=1159217, decompressed_slices=387453, duration.command.search.index=7390, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53409, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10727111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:40:05.375, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095140_27850', total_run_time=12.66, event_count=0, result_count=0, available_count=0, scan_count=19741971, drop_count=0, exec_time=1655095189, api_et=1655080740.000000000, api_lt=1655095140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080740.000000000, search_lt=1655095140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19741971, total_slices=1157554, decompressed_slices=387515, duration.command.search.index=7141, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53536, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10725085, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:39:28.247, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095080_27834', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=19737028, drop_count=0, exec_time=1655095129, api_et=1655080680.000000000, api_lt=1655095080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080680.000000000, search_lt=1655095080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2928", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19737028, total_slices=1155828, decompressed_slices=387461, duration.command.search.index=7130, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53521, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10721252, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:38:05.428, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655095020_27819', total_run_time=11.64, event_count=0, result_count=0, available_count=0, scan_count=19732682, drop_count=0, exec_time=1655095069, api_et=1655080620.000000000, api_lt=1655095020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080620.000000000, search_lt=1655095020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19732682, total_slices=1154090, decompressed_slices=387457, duration.command.search.index=6986, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53539, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10718073, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:37:05.284, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094960_27804', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=19727081, drop_count=0, exec_time=1655095010, api_et=1655080560.000000000, api_lt=1655094960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080560.000000000, search_lt=1655094960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19727081, total_slices=1152520, decompressed_slices=387380, duration.command.search.index=6955, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54743, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10714091, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:36:05.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094900_27794', total_run_time=11.48, event_count=0, result_count=0, available_count=0, scan_count=19718429, drop_count=0, exec_time=1655094950, api_et=1655080500.000000000, api_lt=1655094900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080500.000000000, search_lt=1655094900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19718429, total_slices=1150748, decompressed_slices=387305, duration.command.search.index=6833, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53264, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10709210, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:35:05.249, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094840_27772', total_run_time=13.20, event_count=0, result_count=0, available_count=0, scan_count=19710857, drop_count=0, exec_time=1655094889, api_et=1655080440.000000000, api_lt=1655094840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080440.000000000, search_lt=1655094840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19710857, total_slices=1149119, decompressed_slices=387240, duration.command.search.index=7292, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53828, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706870, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:34:26.126, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655094780_27722', total_run_time=39.76, event_count=0, result_count=0, available_count=0, scan_count=39493293, drop_count=0, exec_time=1655094805, api_et=1655091180.000000000, api_lt=1655094780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655091180.000000000, search_lt=1655094806.983408000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_14c238fa4d62352b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1876, eliminated_buckets=134, considered_events=39493293, total_slices=13974947, decompressed_slices=3817956, duration.command.search.index=13849, invocations.command.search.index.bucketcache.hit=1865, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=219866, invocations.command.search.rawdata.bucketcache.hit=250, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:34:25.557, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094780_27736', total_run_time=16.12, event_count=0, result_count=0, available_count=0, scan_count=19706572, drop_count=0, exec_time=1655094829, api_et=1655080380.000000000, api_lt=1655094780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080380.000000000, search_lt=1655094780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2794", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19706572, total_slices=1146994, decompressed_slices=387235, duration.command.search.index=8947, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63779, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10704672, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:33:05.465, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094720_27699', total_run_time=13.43, event_count=0, result_count=0, available_count=0, scan_count=19701410, drop_count=0, exec_time=1655094770, api_et=1655080320.000000000, api_lt=1655094720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080320.000000000, search_lt=1655094720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19701410, total_slices=1145634, decompressed_slices=387126, duration.command.search.index=7704, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55582, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10701838, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:32:05.315, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094660_27669', total_run_time=13.33, event_count=0, result_count=0, available_count=0, scan_count=19695459, drop_count=0, exec_time=1655094709, api_et=1655080260.000000000, api_lt=1655094660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080260.000000000, search_lt=1655094660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19695459, total_slices=1144035, decompressed_slices=387155, duration.command.search.index=8243, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56130, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10696260, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:31:05.529, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094600_27640', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=19690453, drop_count=0, exec_time=1655094649, api_et=1655080200.000000000, api_lt=1655094600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080200.000000000, search_lt=1655094600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3000", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19690453, total_slices=1142343, decompressed_slices=387123, duration.command.search.index=8061, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56226, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10691476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:30:05.309, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094540_27610', total_run_time=13.41, event_count=0, result_count=0, available_count=0, scan_count=19680593, drop_count=0, exec_time=1655094590, api_et=1655080140.000000000, api_lt=1655094540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080140.000000000, search_lt=1655094540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19680593, total_slices=1140621, decompressed_slices=387009, duration.command.search.index=6881, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54577, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10685068, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:29:33.513, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094420_27582', total_run_time=12.12, event_count=0, result_count=0, available_count=0, scan_count=19665508, drop_count=0, exec_time=1655094469, api_et=1655080020.000000000, api_lt=1655094420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080020.000000000, search_lt=1655094420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2587", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19665508, total_slices=1136519, decompressed_slices=386979, duration.command.search.index=7246, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54036, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10675945, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:29:33.490, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094480_27597', total_run_time=11.69, event_count=0, result_count=0, available_count=0, scan_count=19662025, drop_count=0, exec_time=1655094529, api_et=1655080080.000000000, api_lt=1655094480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080080.000000000, search_lt=1655094480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19662025, total_slices=1138193, decompressed_slices=386877, duration.command.search.index=7195, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51191, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10673226, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:27:29.378, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094360_27564', total_run_time=11.87, event_count=0, result_count=0, available_count=0, scan_count=19661670, drop_count=0, exec_time=1655094409, api_et=1655079960.000000000, api_lt=1655094360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079960.000000000, search_lt=1655094360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19661670, total_slices=1135546, decompressed_slices=387036, duration.command.search.index=7267, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51731, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10673091, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:26:29.450, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094300_27548', total_run_time=12.45, event_count=0, result_count=0, available_count=0, scan_count=19653638, drop_count=0, exec_time=1655094349, api_et=1655079900.000000000, api_lt=1655094300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079900.000000000, search_lt=1655094300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3217", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=1, considered_events=19653638, total_slices=1133854, decompressed_slices=386981, duration.command.search.index=7109, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52381, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10666695, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:25:19.703, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094240_27533', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=19649065, drop_count=0, exec_time=1655094288, api_et=1655079840.000000000, api_lt=1655094240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079840.000000000, search_lt=1655094240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2324", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=19649065, total_slices=1159216, decompressed_slices=387016, duration.command.search.index=7774, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53991, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10664655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:24:59.738, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094180_27515', total_run_time=12.17, event_count=0, result_count=0, available_count=0, scan_count=19643547, drop_count=0, exec_time=1655094229, api_et=1655079780.000000000, api_lt=1655094180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079780.000000000, search_lt=1655094180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19643547, total_slices=1157532, decompressed_slices=387023, duration.command.search.index=7218, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51111, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10662040, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:23:07.755, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094120_27482', total_run_time=12.77, event_count=0, result_count=0, available_count=0, scan_count=19636753, drop_count=0, exec_time=1655094169, api_et=1655079720.000000000, api_lt=1655094120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079720.000000000, search_lt=1655094120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19636753, total_slices=1155839, decompressed_slices=386923, duration.command.search.index=7496, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52640, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:22:07.434, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094060_27466', total_run_time=13.77, event_count=0, result_count=0, available_count=0, scan_count=19630117, drop_count=0, exec_time=1655094110, api_et=1655079660.000000000, api_lt=1655094060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079660.000000000, search_lt=1655094060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19630117, total_slices=1154241, decompressed_slices=386872, duration.command.search.index=7397, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53987, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10654811, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:21:24.270, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093940_27414', total_run_time=12.29, event_count=0, result_count=0, available_count=0, scan_count=19622573, drop_count=0, exec_time=1655093989, api_et=1655079540.000000000, api_lt=1655093940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079540.000000000, search_lt=1655093940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19622573, total_slices=1150872, decompressed_slices=386972, duration.command.search.index=7159, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53304, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10650921, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:21:23.519, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093880_27388', total_run_time=14.50, event_count=0, result_count=0, available_count=0, scan_count=19618514, drop_count=0, exec_time=1655093930, api_et=1655079480.000000000, api_lt=1655093880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079480.000000000, search_lt=1655093880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19618514, total_slices=1149184, decompressed_slices=386960, duration.command.search.index=7695, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57243, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10649951, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:21:23.399, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655094000_27436', total_run_time=12.15, event_count=0, result_count=0, available_count=0, scan_count=19626841, drop_count=0, exec_time=1655094049, api_et=1655079600.000000000, api_lt=1655094000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079600.000000000, search_lt=1655094000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=19626841, total_slices=1152468, decompressed_slices=386883, duration.command.search.index=7118, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55016, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10652858, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:18:03.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093820_27367', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=19617354, drop_count=0, exec_time=1655093870, api_et=1655079420.000000000, api_lt=1655093820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079420.000000000, search_lt=1655093820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=19617354, total_slices=1174172, decompressed_slices=386916, duration.command.search.index=7276, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54515, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10649029, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:17:03.985, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093760_27344', total_run_time=12.54, event_count=0, result_count=0, available_count=0, scan_count=19616097, drop_count=0, exec_time=1655093809, api_et=1655079360.000000000, api_lt=1655093760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079360.000000000, search_lt=1655093760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19616097, total_slices=1199390, decompressed_slices=387000, duration.command.search.index=7213, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54175, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10647698, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:16:33.862, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655093760_27338', total_run_time=13.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655093770, api_et=1655089560.000000000, api_lt=1655093160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655090160.000000000, search_lt=1655093777.151791000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="8165", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b55c2759f5f49c6d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=341, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=609, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:16:03.843, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093700_27326', total_run_time=13.65, event_count=0, result_count=0, available_count=0, scan_count=19615727, drop_count=0, exec_time=1655093749, api_et=1655079300.000000000, api_lt=1655093700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079300.000000000, search_lt=1655093700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19615727, total_slices=1197745, decompressed_slices=386965, duration.command.search.index=7465, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54433, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10649225, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:15:03.902, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093640_27306', total_run_time=12.36, event_count=0, result_count=0, available_count=0, scan_count=19615189, drop_count=0, exec_time=1655093689, api_et=1655079240.000000000, api_lt=1655093640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079240.000000000, search_lt=1655093640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19615189, total_slices=1196094, decompressed_slices=386984, duration.command.search.index=7174, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53827, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10650947, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:14:33.784, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655093640_27294', total_run_time=4.60, event_count=0, result_count=0, available_count=0, scan_count=12662, drop_count=0, exec_time=1655093663, api_et=1655090040.000000000, api_lt=1655093640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655090040.000000000, search_lt=1655093665.431276000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=283, considered_events=12662, total_slices=780621, decompressed_slices=2274, duration.command.search.index=915, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5666, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=80, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=217, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=51, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=140, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 04:14:03.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093580_27284', total_run_time=11.98, event_count=0, result_count=0, available_count=0, scan_count=19611808, drop_count=0, exec_time=1655093629, api_et=1655079180.000000000, api_lt=1655093580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079180.000000000, search_lt=1655093580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19611808, total_slices=1194404, decompressed_slices=386982, duration.command.search.index=7100, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54448, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10650504, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:13:03.774, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093520_27257', total_run_time=12.79, event_count=0, result_count=0, available_count=0, scan_count=19612492, drop_count=0, exec_time=1655093569, api_et=1655079120.000000000, api_lt=1655093520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079120.000000000, search_lt=1655093520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19612492, total_slices=1192741, decompressed_slices=386950, duration.command.search.index=7165, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56375, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10650853, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:12:04.088, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093460_27239', total_run_time=12.30, event_count=0, result_count=0, available_count=0, scan_count=19610850, drop_count=0, exec_time=1655093509, api_et=1655079060.000000000, api_lt=1655093460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079060.000000000, search_lt=1655093460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3023", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19610850, total_slices=1191129, decompressed_slices=386926, duration.command.search.index=7536, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54597, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10650149, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:11:34.154, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655093460_27221', total_run_time=4.94, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655093464, api_et=1655089860.000000000, api_lt=1655093460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655089860.000000000, search_lt=1655093466.153021000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1f27c4ff503ac633", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:11:03.840, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093400_27214', total_run_time=13.42, event_count=0, result_count=0, available_count=0, scan_count=19607396, drop_count=0, exec_time=1655093449, api_et=1655079000.000000000, api_lt=1655093400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079000.000000000, search_lt=1655093400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19607396, total_slices=1189511, decompressed_slices=386869, duration.command.search.index=7426, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54165, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10648459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:10:22.466, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093340_27193', total_run_time=12.77, event_count=0, result_count=0, available_count=0, scan_count=19605501, drop_count=0, exec_time=1655093389, api_et=1655078940.000000000, api_lt=1655093340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078940.000000000, search_lt=1655093340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19605501, total_slices=1187812, decompressed_slices=386753, duration.command.search.index=7229, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53517, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10647781, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:09:59.797, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093280_27177', total_run_time=11.84, event_count=0, result_count=0, available_count=0, scan_count=19603414, drop_count=0, exec_time=1655093329, api_et=1655078880.000000000, api_lt=1655093280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078880.000000000, search_lt=1655093280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19603414, total_slices=1186186, decompressed_slices=386680, duration.command.search.index=7331, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53955, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10646021, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:09:59.577, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655093340_27185', total_run_time=18.29, event_count=0, result_count=0, available_count=0, scan_count=3979262, drop_count=0, exec_time=1655093345, api_et=1655089140.000000000, api_lt=1655092740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655089140.000000000, search_lt=1655092740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3238", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_96d6fd47d993a85c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=789, eliminated_buckets=364, considered_events=3979262, total_slices=1065582, decompressed_slices=169133, duration.command.search.index=1632, invocations.command.search.index.bucketcache.hit=786, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29412, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:09:59.463, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655093220_27163', total_run_time=23.94, event_count=1131, result_count=54, available_count=0, scan_count=322489, drop_count=0, exec_time=1655093280, api_et=1655089620.000000000, api_lt=1655093220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655089620.000000000, search_lt=1655093282.515989000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=329066, total_slices=579314, decompressed_slices=85528, duration.command.search.index=2969, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24861, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=263834, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28342, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 04:08:19.917, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093220_27160', total_run_time=13.46, event_count=0, result_count=0, available_count=0, scan_count=19598731, drop_count=0, exec_time=1655093269, api_et=1655078820.000000000, api_lt=1655093220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078820.000000000, search_lt=1655093220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19598731, total_slices=1184325, decompressed_slices=386637, duration.command.search.index=7429, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55303, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10643937, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:07:50.095, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655093220_27155', total_run_time=5.55, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1655093246, api_et=1655089620.000000000, api_lt=1655093220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655089620.000000000, search_lt=1655093248.205061000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_86996ca86aeaf375", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=2, total_slices=24943, decompressed_slices=2, duration.command.search.index=659, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=259, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 04:07:19.877, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093160_27140', total_run_time=14.78, event_count=0, result_count=0, available_count=0, scan_count=19596105, drop_count=0, exec_time=1655093210, api_et=1655078760.000000000, api_lt=1655093160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078760.000000000, search_lt=1655093160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19596105, total_slices=1182735, decompressed_slices=386560, duration.command.search.index=7554, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56934, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10642961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:06:19.318, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093100_27125', total_run_time=14.40, event_count=0, result_count=0, available_count=0, scan_count=19591376, drop_count=0, exec_time=1655093150, api_et=1655078700.000000000, api_lt=1655093100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078700.000000000, search_lt=1655093100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19591376, total_slices=1180940, decompressed_slices=386367, duration.command.search.index=8244, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57705, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10641288, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:05:49.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655093040_27107', total_run_time=26.67, event_count=0, result_count=0, available_count=0, scan_count=19587682, drop_count=0, exec_time=1655093090, api_et=1655078640.000000000, api_lt=1655093040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078640.000000000, search_lt=1655093040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19587682, total_slices=1179077, decompressed_slices=386404, duration.command.search.index=8191, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61499, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10640537, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:05:48.461, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655092980_27065', total_run_time=19.93, event_count=0, result_count=0, available_count=0, scan_count=19585179, drop_count=0, exec_time=1655093029, api_et=1655078580.000000000, api_lt=1655092980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078580.000000000, search_lt=1655092980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2230", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19585179, total_slices=1177337, decompressed_slices=386468, duration.command.search.index=9835, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74890, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10639978, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:03:14.214, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655092920_27018', total_run_time=15.78, event_count=0, result_count=0, available_count=0, scan_count=19580639, drop_count=0, exec_time=1655092969, api_et=1655078520.000000000, api_lt=1655092920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078520.000000000, search_lt=1655092920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19580639, total_slices=1175661, decompressed_slices=386550, duration.command.search.index=8485, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67098, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10637262, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:02:13.663, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655092860_26988', total_run_time=17.59, event_count=0, result_count=0, available_count=0, scan_count=19574220, drop_count=0, exec_time=1655092910, api_et=1655078460.000000000, api_lt=1655092860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078460.000000000, search_lt=1655092860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19574220, total_slices=1174065, decompressed_slices=386471, duration.command.search.index=8834, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66215, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10634859, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 04:01:13.726, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655092800_26956', total_run_time=16.30, event_count=0, result_count=0, available_count=0, scan_count=19551029, drop_count=0, exec_time=1655092850, api_et=1655078400.000000000, api_lt=1655092800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078400.000000000, search_lt=1655092800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=19551029, total_slices=1172314, decompressed_slices=386143, duration.command.search.index=8941, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68319, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10617661, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 03:44:40.907, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655091780_26656', total_run_time=22.90, event_count=0, result_count=0, available_count=0, scan_count=3376, drop_count=0, exec_time=1655091818, api_et=1655088180.000000000, api_lt=1655091780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655088180.000000000, search_lt=1655091819.983107000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2937", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a5d0520728339dda", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3376, total_slices=763468, decompressed_slices=1048, duration.command.search.index=1101, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4700, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 03:36:57.473, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655091180_26446', total_run_time=34.71, event_count=0, result_count=0, available_count=0, scan_count=39343001, drop_count=0, exec_time=1655091205, api_et=1655087580.000000000, api_lt=1655091180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655087580.000000000, search_lt=1655091207.585526000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ea81e5e3d6fdb013", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1865, eliminated_buckets=134, considered_events=39343001, total_slices=13978274, decompressed_slices=3799823, duration.command.search.index=13511, invocations.command.search.index.bucketcache.hit=1857, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214034, invocations.command.search.rawdata.bucketcache.hit=234, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 03:16:20.591, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655090160_26101', total_run_time=8.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655090171, api_et=1655085960.000000000, api_lt=1655089560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655086560.000000000, search_lt=1655090172.917731000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3200", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_04cb533fabdc9831", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1012, eliminated_buckets=341, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=627, invocations.command.search.index.bucketcache.hit=1012, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 03:14:37.954, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655090040_26060', total_run_time=4.32, event_count=0, result_count=0, available_count=0, scan_count=19907, drop_count=0, exec_time=1655090063, api_et=1655086440.000000000, api_lt=1655090040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655086440.000000000, search_lt=1655090064.962641000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=285, considered_events=19977, total_slices=773563, decompressed_slices=2874, duration.command.search.index=931, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5760, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=103, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=284, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=75, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 03:11:19.154, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655089860_25993', total_run_time=5.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655089864, api_et=1655086260.000000000, api_lt=1655089860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655086260.000000000, search_lt=1655089866.776204000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3331", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_57e26b3f7f337dfb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 03:10:49.432, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655089740_25959', total_run_time=21.77, event_count=0, result_count=0, available_count=0, scan_count=3819435, drop_count=0, exec_time=1655089746, api_et=1655085540.000000000, api_lt=1655089140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655085540.000000000, search_lt=1655089140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3240", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ebbf09e663ef56b1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=368, considered_events=3819435, total_slices=1136461, decompressed_slices=166183, duration.command.search.index=1542, invocations.command.search.index.bucketcache.hit=792, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28923, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=120, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 03:10:49.259, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655089620_25939', total_run_time=13.69, event_count=1167, result_count=54, available_count=0, scan_count=343311, drop_count=0, exec_time=1655089680, api_et=1655086020.000000000, api_lt=1655089620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655086020.000000000, search_lt=1655089682.434596000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2910", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=349062, total_slices=547705, decompressed_slices=78048, duration.command.search.index=2910, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23729, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=279591, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 03:07:33.319, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655089620_25934', total_run_time=5.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655089646, api_et=1655086020.000000000, api_lt=1655089620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655086020.000000000, search_lt=1655089648.539251000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c93ab4eb31fa0d3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=612, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:44:26.350, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655088180_25438', total_run_time=20.55, event_count=0, result_count=0, available_count=0, scan_count=3731, drop_count=0, exec_time=1655088218, api_et=1655084580.000000000, api_lt=1655088180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655084580.000000000, search_lt=1655088220.451478000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2871", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_73bd5288f77956d4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3731, total_slices=665734, decompressed_slices=1159, duration.command.search.index=1037, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4847, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:35:11.854, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655087580_25230', total_run_time=36.32, event_count=0, result_count=0, available_count=0, scan_count=38988193, drop_count=0, exec_time=1655087606, api_et=1655083980.000000000, api_lt=1655087580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655083980.000000000, search_lt=1655087608.310215000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_91fb86b70364ee90", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1849, eliminated_buckets=134, considered_events=38988193, total_slices=13744394, decompressed_slices=3803972, duration.command.search.index=15593, invocations.command.search.index.bucketcache.hit=1839, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215420, invocations.command.search.rawdata.bucketcache.hit=219, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:16:40.798, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655086560_24877', total_run_time=8.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655086570, api_et=1655082360.000000000, api_lt=1655085960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655082960.000000000, search_lt=1655086572.340687000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4dbefe42175b5382", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=341, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:14:40.677, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655086440_24837', total_run_time=4.68, event_count=0, result_count=0, available_count=0, scan_count=16189, drop_count=0, exec_time=1655086463, api_et=1655082840.000000000, api_lt=1655086440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655082840.000000000, search_lt=1655086465.684548000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2871", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=284, considered_events=16206, total_slices=725076, decompressed_slices=2463, duration.command.search.index=1113, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5682, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=76, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=341, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=126, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 02:11:40.687, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655086260_24770', total_run_time=5.86, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655086264, api_et=1655082660.000000000, api_lt=1655086260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655082660.000000000, search_lt=1655086266.730037000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6d21bff325c6d284", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=70, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:10:11.462, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655086020_24719', total_run_time=21.04, event_count=2050, result_count=108, available_count=0, scan_count=401906, drop_count=0, exec_time=1655086080, api_et=1655082420.000000000, api_lt=1655086020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655082420.000000000, search_lt=1655086081.912057000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=409616, total_slices=507557, decompressed_slices=83704, duration.command.search.index=2834, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25516, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=326168, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35679, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 02:10:11.420, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655086140_24739', total_run_time=22.14, event_count=0, result_count=0, available_count=0, scan_count=3906001, drop_count=0, exec_time=1655086145, api_et=1655081940.000000000, api_lt=1655085540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655081940.000000000, search_lt=1655085540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2993", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6de7c26f0e3bdb08", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=781, eliminated_buckets=359, considered_events=3906001, total_slices=1085266, decompressed_slices=169934, duration.command.search.index=1610, invocations.command.search.index.bucketcache.hit=779, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29411, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=89, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 02:08:01.508, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655086020_24714', total_run_time=6.37, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655086046, api_et=1655082420.000000000, api_lt=1655086020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655082420.000000000, search_lt=1655086048.390236000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_09a2aa2e48134541", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=685, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:44:00.504, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655084580_24244', total_run_time=21.54, event_count=0, result_count=0, available_count=0, scan_count=3667, drop_count=0, exec_time=1655084618, api_et=1655080980.000000000, api_lt=1655084580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080980.000000000, search_lt=1655084619.809797000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2226", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9054efca039a3975", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=3667, total_slices=673995, decompressed_slices=1168, duration.command.search.index=1019, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4792, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:36:41.552, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655083980_24039', total_run_time=40.67, event_count=0, result_count=0, available_count=0, scan_count=39153089, drop_count=0, exec_time=1655084006, api_et=1655080380.000000000, api_lt=1655083980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655080380.000000000, search_lt=1655084007.974251000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4891abb9ce78313a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1860, eliminated_buckets=134, considered_events=39153089, total_slices=13742208, decompressed_slices=3805279, duration.command.search.index=13614, invocations.command.search.index.bucketcache.hit=1853, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216651, invocations.command.search.rawdata.bucketcache.hit=250, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:16:35.263, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655082960_23695', total_run_time=7.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655082970, api_et=1655078760.000000000, api_lt=1655082360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079360.000000000, search_lt=1655082972.671251000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3223", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_46159435e5a4eec8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=639, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:14:35.395, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655082840_23655', total_run_time=5.27, event_count=0, result_count=0, available_count=0, scan_count=6593, drop_count=0, exec_time=1655082863, api_et=1655079240.000000000, api_lt=1655082840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079240.000000000, search_lt=1655082865.227943000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=287, considered_events=6593, total_slices=653870, decompressed_slices=1881, duration.command.search.index=1142, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5423, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=81, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=524, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=104, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 01:11:35.224, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655082660_23588', total_run_time=6.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655082664, api_et=1655079060.000000000, api_lt=1655082660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655079060.000000000, search_lt=1655082666.619373000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3348", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_54debc474564b1ce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=77, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:09:35.529, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655082540_23558', total_run_time=18.65, event_count=0, result_count=0, available_count=0, scan_count=3727829, drop_count=0, exec_time=1655082546, api_et=1655078340.000000000, api_lt=1655081940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078340.000000000, search_lt=1655081940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2975", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4c701b5f6c425823", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=774, eliminated_buckets=355, considered_events=3727829, total_slices=1070766, decompressed_slices=170444, duration.command.search.index=1607, invocations.command.search.index.bucketcache.hit=772, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29202, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:08:52.698, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655082420_23544', total_run_time=17.30, event_count=1771, result_count=107, available_count=0, scan_count=386679, drop_count=0, exec_time=1655082484, api_et=1655078820.000000000, api_lt=1655082420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078820.000000000, search_lt=1655082486.385342000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2855", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=393251, total_slices=494274, decompressed_slices=78144, duration.command.search.index=2927, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23992, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=318721, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34025, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 01:07:35.218, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655082420_23533', total_run_time=4.39, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655082446, api_et=1655078820.000000000, api_lt=1655082420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655078820.000000000, search_lt=1655082448.438342000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3000", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d2b25a40a2698963", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=603, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 01:00:05.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081940_23341', total_run_time=11.83, event_count=0, result_count=0, available_count=0, scan_count=18989917, drop_count=0, exec_time=1655081990, api_et=1655067540.000000000, api_lt=1655081940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067540.000000000, search_lt=1655081940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18989917, total_slices=1314187, decompressed_slices=366190, duration.command.search.index=6484, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52538, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10602580, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:59:05.319, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081880_23328', total_run_time=11.53, event_count=0, result_count=0, available_count=0, scan_count=18990076, drop_count=0, exec_time=1655081930, api_et=1655067480.000000000, api_lt=1655081880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067480.000000000, search_lt=1655081880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18990076, total_slices=1312497, decompressed_slices=366066, duration.command.search.index=6519, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54088, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10605325, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:58:05.349, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081820_23311', total_run_time=12.23, event_count=0, result_count=0, available_count=0, scan_count=18985166, drop_count=0, exec_time=1655081869, api_et=1655067420.000000000, api_lt=1655081820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067420.000000000, search_lt=1655081820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18985166, total_slices=1310724, decompressed_slices=365931, duration.command.search.index=6876, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53543, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10605880, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:57:05.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081760_23292', total_run_time=11.84, event_count=0, result_count=0, available_count=0, scan_count=18980887, drop_count=0, exec_time=1655081809, api_et=1655067360.000000000, api_lt=1655081760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067360.000000000, search_lt=1655081760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2878", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18980887, total_slices=1309065, decompressed_slices=365822, duration.command.search.index=6509, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52586, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10604361, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:56:05.435, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081700_23281', total_run_time=11.91, event_count=0, result_count=0, available_count=0, scan_count=18982845, drop_count=0, exec_time=1655081749, api_et=1655067300.000000000, api_lt=1655081700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067300.000000000, search_lt=1655081700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18982845, total_slices=1307412, decompressed_slices=365802, duration.command.search.index=6648, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52070, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10607281, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:55:05.529, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081640_23263', total_run_time=13.17, event_count=0, result_count=0, available_count=0, scan_count=18977951, drop_count=0, exec_time=1655081690, api_et=1655067240.000000000, api_lt=1655081640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067240.000000000, search_lt=1655081640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3327", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18977951, total_slices=1305740, decompressed_slices=365684, duration.command.search.index=6923, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50064, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10605994, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:54:05.231, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081580_23246', total_run_time=12.00, event_count=0, result_count=0, available_count=0, scan_count=18976098, drop_count=0, exec_time=1655081629, api_et=1655067180.000000000, api_lt=1655081580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067180.000000000, search_lt=1655081580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3325", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18976098, total_slices=1303979, decompressed_slices=365627, duration.command.search.index=6858, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48669, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10606799, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:53:05.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081520_23220', total_run_time=12.35, event_count=0, result_count=0, available_count=0, scan_count=18971846, drop_count=0, exec_time=1655081569, api_et=1655067120.000000000, api_lt=1655081520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067120.000000000, search_lt=1655081520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18971846, total_slices=1302209, decompressed_slices=365521, duration.command.search.index=6788, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51509, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10606978, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:52:05.834, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081460_23203', total_run_time=11.84, event_count=0, result_count=0, available_count=0, scan_count=18968515, drop_count=0, exec_time=1655081509, api_et=1655067060.000000000, api_lt=1655081460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067060.000000000, search_lt=1655081460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18968515, total_slices=1300635, decompressed_slices=365479, duration.command.search.index=7339, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52634, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10607412, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:51:05.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081400_23179', total_run_time=13.74, event_count=0, result_count=0, available_count=0, scan_count=18967323, drop_count=0, exec_time=1655081450, api_et=1655067000.000000000, api_lt=1655081400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067000.000000000, search_lt=1655081400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2843", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18967323, total_slices=1352381, decompressed_slices=365381, duration.command.search.index=6884, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54542, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10608385, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:50:23.076, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081340_23156', total_run_time=11.52, event_count=0, result_count=0, available_count=0, scan_count=18966046, drop_count=0, exec_time=1655081389, api_et=1655066940.000000000, api_lt=1655081340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066940.000000000, search_lt=1655081340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18966046, total_slices=1350652, decompressed_slices=365373, duration.command.search.index=6746, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50947, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10608522, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:50:22.773, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081280_23132', total_run_time=12.20, event_count=0, result_count=0, available_count=0, scan_count=18965406, drop_count=0, exec_time=1655081329, api_et=1655066880.000000000, api_lt=1655081280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066880.000000000, search_lt=1655081280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18965406, total_slices=1348961, decompressed_slices=365295, duration.command.search.index=7227, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53370, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10609511, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:48:22.175, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081220_23115', total_run_time=12.54, event_count=0, result_count=0, available_count=0, scan_count=18963649, drop_count=0, exec_time=1655081269, api_et=1655066820.000000000, api_lt=1655081220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066820.000000000, search_lt=1655081220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18963649, total_slices=1347248, decompressed_slices=365153, duration.command.search.index=6636, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51116, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10609370, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:47:22.362, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081160_23092', total_run_time=11.83, event_count=0, result_count=0, available_count=0, scan_count=18959220, drop_count=0, exec_time=1655081209, api_et=1655066760.000000000, api_lt=1655081160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066760.000000000, search_lt=1655081160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18959220, total_slices=1345650, decompressed_slices=364984, duration.command.search.index=6648, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51255, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10608918, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:46:22.564, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081100_23073', total_run_time=11.53, event_count=0, result_count=0, available_count=0, scan_count=18957432, drop_count=0, exec_time=1655081149, api_et=1655066700.000000000, api_lt=1655081100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066700.000000000, search_lt=1655081100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18957432, total_slices=1343932, decompressed_slices=364936, duration.command.search.index=6697, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47597, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10609457, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:45:22.136, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655081040_23050', total_run_time=11.69, event_count=0, result_count=0, available_count=0, scan_count=18956533, drop_count=0, exec_time=1655081089, api_et=1655066640.000000000, api_lt=1655081040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066640.000000000, search_lt=1655081040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2794", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18956533, total_slices=1342175, decompressed_slices=364901, duration.command.search.index=6605, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51010, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10610406, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:44:22.661, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080980_23029', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=18954058, drop_count=0, exec_time=1655081029, api_et=1655066580.000000000, api_lt=1655080980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066580.000000000, search_lt=1655080980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3108", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18954058, total_slices=1340530, decompressed_slices=364745, duration.command.search.index=6542, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53627, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10611355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:44:22.248, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655080980_23026', total_run_time=20.68, event_count=0, result_count=0, available_count=0, scan_count=4099, drop_count=0, exec_time=1655081018, api_et=1655077380.000000000, api_lt=1655080980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655077380.000000000, search_lt=1655081019.963800000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2898", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_877ede33ddffdf43", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=4099, total_slices=708400, decompressed_slices=1077, duration.command.search.index=1074, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4791, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:threat=18, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:43:22.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080920_23000', total_run_time=12.17, event_count=0, result_count=0, available_count=0, scan_count=18952351, drop_count=0, exec_time=1655080969, api_et=1655066520.000000000, api_lt=1655080920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066520.000000000, search_lt=1655080920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2579", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18952351, total_slices=1338576, decompressed_slices=364561, duration.command.search.index=6669, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52733, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10611888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:42:22.466, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080860_22976', total_run_time=12.06, event_count=0, result_count=0, available_count=0, scan_count=18951030, drop_count=0, exec_time=1655080909, api_et=1655066460.000000000, api_lt=1655080860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066460.000000000, search_lt=1655080860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18951030, total_slices=1337070, decompressed_slices=364410, duration.command.search.index=6847, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53317, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10613791, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:41:08.313, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080800_22951', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=18949686, drop_count=0, exec_time=1655080849, api_et=1655066400.000000000, api_lt=1655080800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066400.000000000, search_lt=1655080800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18949686, total_slices=1335382, decompressed_slices=364401, duration.command.search.index=6878, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54326, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10614816, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:40:40.751, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080740_22930', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=18946610, drop_count=0, exec_time=1655080789, api_et=1655066340.000000000, api_lt=1655080740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066340.000000000, search_lt=1655080740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2585", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18946610, total_slices=1333721, decompressed_slices=364294, duration.command.search.index=6843, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47707, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10613941, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:40:39.629, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080680_22914', total_run_time=11.62, event_count=0, result_count=0, available_count=0, scan_count=18946394, drop_count=0, exec_time=1655080729, api_et=1655066280.000000000, api_lt=1655080680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066280.000000000, search_lt=1655080680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18946394, total_slices=1331927, decompressed_slices=364256, duration.command.search.index=6738, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51318, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10616280, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:38:19.468, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080620_22898', total_run_time=11.93, event_count=0, result_count=0, available_count=0, scan_count=18943731, drop_count=0, exec_time=1655080669, api_et=1655066220.000000000, api_lt=1655080620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066220.000000000, search_lt=1655080620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18943731, total_slices=1330199, decompressed_slices=364163, duration.command.search.index=6580, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51216, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10617093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:37:19.488, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080560_22883', total_run_time=12.22, event_count=0, result_count=0, available_count=0, scan_count=18941939, drop_count=0, exec_time=1655080610, api_et=1655066160.000000000, api_lt=1655080560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066160.000000000, search_lt=1655080560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18941939, total_slices=1328550, decompressed_slices=364103, duration.command.search.index=6552, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52945, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10617230, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:36:19.473, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080500_22873', total_run_time=12.20, event_count=0, result_count=0, available_count=0, scan_count=18945539, drop_count=0, exec_time=1655080550, api_et=1655066100.000000000, api_lt=1655080500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066100.000000000, search_lt=1655080500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18945539, total_slices=1326873, decompressed_slices=364092, duration.command.search.index=6602, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52457, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10619808, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:35:16.862, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080440_22852', total_run_time=13.36, event_count=0, result_count=0, available_count=0, scan_count=18945213, drop_count=0, exec_time=1655080490, api_et=1655066040.000000000, api_lt=1655080440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066040.000000000, search_lt=1655080440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18945213, total_slices=1325227, decompressed_slices=364020, duration.command.search.index=6541, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51694, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10620514, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:34:46.169, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655080380_22802', total_run_time=35.52, event_count=0, result_count=0, available_count=0, scan_count=39233704, drop_count=0, exec_time=1655080405, api_et=1655076780.000000000, api_lt=1655080380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655076780.000000000, search_lt=1655080407.041706000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3594", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_485dbb62c58480a0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1897, eliminated_buckets=134, considered_events=39233704, total_slices=14086997, decompressed_slices=3810396, duration.command.search.index=13747, invocations.command.search.index.bucketcache.hit=1896, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=217204, invocations.command.search.rawdata.bucketcache.hit=276, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:34:46.034, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080380_22816', total_run_time=14.96, event_count=0, result_count=0, available_count=0, scan_count=18945286, drop_count=0, exec_time=1655080429, api_et=1655065980.000000000, api_lt=1655080380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065980.000000000, search_lt=1655080380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18945286, total_slices=1323425, decompressed_slices=363997, duration.command.search.index=7639, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58104, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10622484, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:33:19.702, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080320_22779', total_run_time=16.91, event_count=0, result_count=0, available_count=0, scan_count=18945186, drop_count=0, exec_time=1655080369, api_et=1655065920.000000000, api_lt=1655080320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065920.000000000, search_lt=1655080320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2889", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18945186, total_slices=1321711, decompressed_slices=363960, duration.command.search.index=7123, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56541, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10624034, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:32:19.586, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080260_22748', total_run_time=16.03, event_count=0, result_count=0, available_count=0, scan_count=18944164, drop_count=0, exec_time=1655080309, api_et=1655065860.000000000, api_lt=1655080260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065860.000000000, search_lt=1655080260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18944164, total_slices=1320072, decompressed_slices=363860, duration.command.search.index=7716, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58005, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10625817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:31:19.658, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080200_22720', total_run_time=16.87, event_count=0, result_count=0, available_count=0, scan_count=18943475, drop_count=0, exec_time=1655080248, api_et=1655065800.000000000, api_lt=1655080200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065800.000000000, search_lt=1655080200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3207", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18943475, total_slices=1318488, decompressed_slices=363874, duration.command.search.index=7957, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58950, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10627347, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:30:04.509, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080140_22692', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=18942906, drop_count=0, exec_time=1655080189, api_et=1655065740.000000000, api_lt=1655080140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065740.000000000, search_lt=1655080140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2574", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18942906, total_slices=1343468, decompressed_slices=363870, duration.command.search.index=7129, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49900, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10628586, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:29:49.201, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080080_22678', total_run_time=11.92, event_count=0, result_count=0, available_count=0, scan_count=18945386, drop_count=0, exec_time=1655080129, api_et=1655065680.000000000, api_lt=1655080080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065680.000000000, search_lt=1655080080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18945386, total_slices=1341814, decompressed_slices=363742, duration.command.search.index=6773, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49897, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10632352, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:28:19.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655080020_22663', total_run_time=11.99, event_count=0, result_count=0, available_count=0, scan_count=18942471, drop_count=0, exec_time=1655080070, api_et=1655065620.000000000, api_lt=1655080020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065620.000000000, search_lt=1655080020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2550", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18942471, total_slices=1340102, decompressed_slices=363611, duration.command.search.index=6491, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54861, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10632532, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:27:19.803, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079960_22644', total_run_time=12.34, event_count=0, result_count=0, available_count=0, scan_count=18941133, drop_count=0, exec_time=1655080009, api_et=1655065560.000000000, api_lt=1655079960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065560.000000000, search_lt=1655079960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2542", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18941133, total_slices=1365162, decompressed_slices=363505, duration.command.search.index=6710, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50262, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10632775, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:26:19.659, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079900_22628', total_run_time=13.41, event_count=0, result_count=0, available_count=0, scan_count=18942820, drop_count=0, exec_time=1655079950, api_et=1655065500.000000000, api_lt=1655079900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065500.000000000, search_lt=1655079900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3222", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18942820, total_slices=1363542, decompressed_slices=363550, duration.command.search.index=6869, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52301, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10635210, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:25:24.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079780_22595', total_run_time=11.93, event_count=0, result_count=0, available_count=0, scan_count=18929720, drop_count=0, exec_time=1655079829, api_et=1655065380.000000000, api_lt=1655079780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065380.000000000, search_lt=1655079780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18929720, total_slices=1358698, decompressed_slices=363198, duration.command.search.index=6851, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48819, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10630705, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:25:24.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079840_22614', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=18940257, drop_count=0, exec_time=1655079890, api_et=1655065440.000000000, api_lt=1655079840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065440.000000000, search_lt=1655079840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18940257, total_slices=1361866, decompressed_slices=363500, duration.command.search.index=7356, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49239, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10636253, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:23:19.351, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079720_22562', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=18939072, drop_count=0, exec_time=1655079769, api_et=1655065320.000000000, api_lt=1655079720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065320.000000000, search_lt=1655079720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2613", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18939072, total_slices=1358283, decompressed_slices=363352, duration.command.search.index=6797, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52012, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10639049, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:22:08.315, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079660_22546', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=18938703, drop_count=0, exec_time=1655079709, api_et=1655065260.000000000, api_lt=1655079660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065260.000000000, search_lt=1655079660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18938703, total_slices=1383191, decompressed_slices=363244, duration.command.search.index=7103, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51640, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10639942, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:21:47.452, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079540_22490', total_run_time=12.35, event_count=0, result_count=0, available_count=0, scan_count=18933508, drop_count=0, exec_time=1655079589, api_et=1655065140.000000000, api_lt=1655079540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065140.000000000, search_lt=1655079540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18933508, total_slices=1380180, decompressed_slices=363046, duration.command.search.index=6715, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50344, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10638646, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:21:46.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079600_22516', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=18936369, drop_count=0, exec_time=1655079649, api_et=1655065200.000000000, api_lt=1655079600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065200.000000000, search_lt=1655079600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18936369, total_slices=1381614, decompressed_slices=363144, duration.command.search.index=6935, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51974, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10639279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:21:46.862, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079480_22465', total_run_time=24.19, event_count=0, result_count=0, available_count=0, scan_count=18931724, drop_count=0, exec_time=1655079529, api_et=1655065080.000000000, api_lt=1655079480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065080.000000000, search_lt=1655079480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2857", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18931724, total_slices=1378374, decompressed_slices=363016, duration.command.search.index=7210, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62032, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10638175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:21:46.709, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079420_22443', total_run_time=24.22, event_count=0, result_count=0, available_count=0, scan_count=18926081, drop_count=0, exec_time=1655079469, api_et=1655065020.000000000, api_lt=1655079420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065020.000000000, search_lt=1655079420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18926081, total_slices=1376664, decompressed_slices=362988, duration.command.search.index=7378, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63022, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10635888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:21:45.970, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655079600_22519', total_run_time=13.55, event_count=10639279, result_count=15, available_count=0, scan_count=18936364, drop_count=0, exec_time=1655079657, api_et=1655065200.000000000, api_lt=1655079600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065200.000000000, search_lt=1655079600.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2317", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18936364, total_slices=1381754, decompressed_slices=363145, duration.command.search.index=7003, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50918, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10639279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:17:43.822, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079360_22419', total_run_time=26.98, event_count=0, result_count=0, available_count=0, scan_count=18924736, drop_count=0, exec_time=1655079409, api_et=1655064960.000000000, api_lt=1655079360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064960.000000000, search_lt=1655079360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18924736, total_slices=1375082, decompressed_slices=362891, duration.command.search.index=7693, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68488, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10637638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:16:43.937, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655079360_22413', total_run_time=8.53, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655079370, api_et=1655075160.000000000, api_lt=1655078760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655075760.000000000, search_lt=1655079373.110769000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ee74be749464d9d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=653, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:16:13.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079300_22402', total_run_time=23.01, event_count=0, result_count=0, available_count=0, scan_count=18921246, drop_count=0, exec_time=1655079349, api_et=1655064900.000000000, api_lt=1655079300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064900.000000000, search_lt=1655079300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18921246, total_slices=1399992, decompressed_slices=362814, duration.command.search.index=7244, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62619, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10635996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:15:39.088, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655079240_22370', total_run_time=4.24, event_count=0, result_count=0, available_count=0, scan_count=15990, drop_count=0, exec_time=1655079263, api_et=1655075640.000000000, api_lt=1655079240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655075640.000000000, search_lt=1655079265.747478000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=286, considered_events=15990, total_slices=586979, decompressed_slices=2572, duration.command.search.index=954, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5567, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=54, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=155, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=43, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-13-2022 00:15:38.866, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079240_22383', total_run_time=13.35, event_count=0, result_count=0, available_count=0, scan_count=18915235, drop_count=0, exec_time=1655079289, api_et=1655064840.000000000, api_lt=1655079240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064840.000000000, search_lt=1655079240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18915235, total_slices=1398308, decompressed_slices=362759, duration.command.search.index=6551, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53078, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10633434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:15:38.335, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079180_22360', total_run_time=11.71, event_count=0, result_count=0, available_count=0, scan_count=18914414, drop_count=0, exec_time=1655079229, api_et=1655064780.000000000, api_lt=1655079180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064780.000000000, search_lt=1655079180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18914414, total_slices=1396645, decompressed_slices=362705, duration.command.search.index=6722, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54429, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10635285, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:13:16.764, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079120_22331', total_run_time=20.63, event_count=0, result_count=0, available_count=0, scan_count=18911952, drop_count=0, exec_time=1655079170, api_et=1655064720.000000000, api_lt=1655079120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064720.000000000, search_lt=1655079120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3132", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18911952, total_slices=1394973, decompressed_slices=362591, duration.command.search.index=7104, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55766, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10635934, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:12:16.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079060_22313', total_run_time=12.52, event_count=0, result_count=0, available_count=0, scan_count=18910350, drop_count=0, exec_time=1655079109, api_et=1655064660.000000000, api_lt=1655079060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064660.000000000, search_lt=1655079060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18910350, total_slices=1393443, decompressed_slices=362541, duration.command.search.index=6867, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54397, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10636779, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:11:16.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655079000_22287', total_run_time=21.53, event_count=0, result_count=0, available_count=0, scan_count=18908856, drop_count=0, exec_time=1655079049, api_et=1655064600.000000000, api_lt=1655079000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064600.000000000, search_lt=1655079000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18908856, total_slices=1391842, decompressed_slices=362526, duration.command.search.index=7122, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54591, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10638051, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:11:16.692, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655079060_22295', total_run_time=5.05, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655079064, api_et=1655075460.000000000, api_lt=1655079060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655075460.000000000, search_lt=1655079066.252032000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2826", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a4aa2961fbc05aa4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=64, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:10:16.853, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078940_22264', total_run_time=15.63, event_count=0, result_count=0, available_count=0, scan_count=18905932, drop_count=0, exec_time=1655078990, api_et=1655064540.000000000, api_lt=1655078940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064540.000000000, search_lt=1655078940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18905932, total_slices=1390246, decompressed_slices=362540, duration.command.search.index=6736, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56464, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10638084, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:09:41.638, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1655078400_22178', total_run_time=233.87, event_count=2696, result_count=2695, available_count=0, scan_count=1757804, drop_count=0, exec_time=1655078690, api_et=1654992000.000000000, api_lt=1655078400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1655078400.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_8ddec51c764238c9", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30401, eliminated_buckets=4806, considered_events=1757804, total_slices=14050207, decompressed_slices=1089877, duration.command.search.index=755785, invocations.command.search.index.bucketcache.hit=28410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=2052, duration.command.search.index.bucketcache.miss=229242, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216431, invocations.command.search.rawdata.bucketcache.hit=21288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=397, duration.command.search.rawdata.bucketcache.miss=113431, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-13-2022 00:09:40.993, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078820_22230', total_run_time=38.11, event_count=0, result_count=0, available_count=0, scan_count=18905179, drop_count=0, exec_time=1655078870, api_et=1655064420.000000000, api_lt=1655078820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064420.000000000, search_lt=1655078820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18905179, total_slices=1386906, decompressed_slices=362345, duration.command.search.index=6936, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62578, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10641398, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:09:40.958, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655078940_22256', total_run_time=27.43, event_count=0, result_count=0, available_count=0, scan_count=3693825, drop_count=0, exec_time=1655078945, api_et=1655074740.000000000, api_lt=1655078340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655074740.000000000, search_lt=1655078340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b018441e2adde09d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=800, eliminated_buckets=374, considered_events=3693825, total_slices=1217457, decompressed_slices=165973, duration.command.search.index=1559, invocations.command.search.index.bucketcache.hit=797, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28128, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=92, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:09:40.893, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655078820_22233', total_run_time=27.08, event_count=1087, result_count=54, available_count=0, scan_count=310745, drop_count=0, exec_time=1655078880, api_et=1655075220.000000000, api_lt=1655078820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655075220.000000000, search_lt=1655078882.604619000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=316352, total_slices=444810, decompressed_slices=76932, duration.command.search.index=3127, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24422, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=255136, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26796, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-13-2022 00:09:40.881, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078880_22248', total_run_time=22.02, event_count=0, result_count=0, available_count=0, scan_count=18903978, drop_count=0, exec_time=1655078929, api_et=1655064480.000000000, api_lt=1655078880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064480.000000000, search_lt=1655078880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2977", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18903978, total_slices=1388590, decompressed_slices=362398, duration.command.search.index=7077, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55596, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10638597, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:08:04.970, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655078820_22225', total_run_time=8.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655078847, api_et=1655075220.000000000, api_lt=1655078820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655075220.000000000, search_lt=1655078848.871466000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d3540f5401f27bf0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=710, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-13-2022 00:07:35.085, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078760_22209', total_run_time=24.53, event_count=0, result_count=0, available_count=0, scan_count=18904641, drop_count=0, exec_time=1655078810, api_et=1655064360.000000000, api_lt=1655078760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064360.000000000, search_lt=1655078760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18904641, total_slices=1385316, decompressed_slices=362225, duration.command.search.index=7395, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58079, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10642790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:06:34.790, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078700_22195', total_run_time=36.14, event_count=0, result_count=0, available_count=0, scan_count=18905003, drop_count=0, exec_time=1655078750, api_et=1655064300.000000000, api_lt=1655078700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064300.000000000, search_lt=1655078700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3458", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18905003, total_slices=1410870, decompressed_slices=362227, duration.command.search.index=7708, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63111, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10643145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:06:05.817, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078640_22177', total_run_time=48.22, event_count=0, result_count=0, available_count=0, scan_count=18905930, drop_count=0, exec_time=1655078690, api_et=1655064240.000000000, api_lt=1655078640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064240.000000000, search_lt=1655078640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18905930, total_slices=1409202, decompressed_slices=362316, duration.command.search.index=10276, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77304, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10644562, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:05:04.568, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078520_22082', total_run_time=40.86, event_count=0, result_count=0, available_count=0, scan_count=18904282, drop_count=0, exec_time=1655078569, api_et=1655064120.000000000, api_lt=1655078520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064120.000000000, search_lt=1655078520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2586", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18904282, total_slices=1433096, decompressed_slices=362236, duration.command.search.index=10582, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92337, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10647751, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:05:04.474, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078580_22131', total_run_time=57.79, event_count=0, result_count=0, available_count=0, scan_count=18905024, drop_count=0, exec_time=1655078629, api_et=1655064180.000000000, api_lt=1655078580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064180.000000000, search_lt=1655078580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2704", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18905024, total_slices=1434893, decompressed_slices=362228, duration.command.search.index=13227, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108226, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10646238, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:02:56.491, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078460_22046', total_run_time=37.48, event_count=0, result_count=0, available_count=0, scan_count=18903152, drop_count=0, exec_time=1655078509, api_et=1655064060.000000000, api_lt=1655078460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064060.000000000, search_lt=1655078460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18903152, total_slices=1431498, decompressed_slices=362220, duration.command.search.index=10755, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98324, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10648497, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-13-2022 00:01:56.593, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1655078400_22009', total_run_time=63.10, event_count=0, result_count=102, available_count=0, scan_count=0, drop_count=0, exec_time=1655078432, api_et=1655076600.000000000, api_lt=1655078400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655076600.000000000, search_lt=1655078400.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63807", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-13-2022 00:01:56.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655078400_22014', total_run_time=39.65, event_count=0, result_count=0, available_count=0, scan_count=18921123, drop_count=0, exec_time=1655078450, api_et=1655064000.000000000, api_lt=1655078400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064000.000000000, search_lt=1655078400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2474", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18921123, total_slices=1429843, decompressed_slices=362540, duration.command.search.index=10923, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93735, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10665410, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 23:44:15.890, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655077380_21720', total_run_time=21.42, event_count=0, result_count=0, available_count=0, scan_count=3769, drop_count=0, exec_time=1655077418, api_et=1655073780.000000000, api_lt=1655077380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655073780.000000000, search_lt=1655077420.671942000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2839", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3fb15e69e7fbeb3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3769, total_slices=753509, decompressed_slices=1053, duration.command.search.index=997, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4902, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 23:36:30.953, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655076780_21512', total_run_time=34.61, event_count=0, result_count=0, available_count=0, scan_count=39080667, drop_count=0, exec_time=1655076805, api_et=1655073180.000000000, api_lt=1655076780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655073180.000000000, search_lt=1655076807.636015000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2c8be439201c30be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1842, eliminated_buckets=134, considered_events=39080667, total_slices=14017266, decompressed_slices=3815435, duration.command.search.index=13460, invocations.command.search.index.bucketcache.hit=1841, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=213179, invocations.command.search.rawdata.bucketcache.hit=262, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 23:16:48.050, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655075760_21171', total_run_time=6.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655075771, api_et=1655071560.000000000, api_lt=1655075160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655072160.000000000, search_lt=1655075773.025344000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3264", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3affb88bbb22da0f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=341, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=618, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 23:14:46.439, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655075640_21130', total_run_time=4.32, event_count=0, result_count=0, available_count=0, scan_count=14875, drop_count=0, exec_time=1655075663, api_et=1655072040.000000000, api_lt=1655075640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655072040.000000000, search_lt=1655075665.287102000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=289, considered_events=14971, total_slices=546040, decompressed_slices=2011, duration.command.search.index=1062, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5628, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=32, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=68, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=191, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=54, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 23:11:16.326, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655075460_21065', total_run_time=4.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655075465, api_et=1655071860.000000000, api_lt=1655075460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655071860.000000000, search_lt=1655075466.788714000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d4c00e6daad34c9d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 23:09:46.133, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655075340_21033', total_run_time=19.03, event_count=0, result_count=0, available_count=0, scan_count=3704678, drop_count=0, exec_time=1655075345, api_et=1655071140.000000000, api_lt=1655074740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655071140.000000000, search_lt=1655074740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3001", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_feba64ae719eed5e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=769, eliminated_buckets=357, considered_events=3704678, total_slices=1161730, decompressed_slices=170087, duration.command.search.index=1609, invocations.command.search.index.bucketcache.hit=769, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28570, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=88, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 23:08:54.721, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655075220_21020', total_run_time=21.50, event_count=1118, result_count=54, available_count=0, scan_count=317098, drop_count=0, exec_time=1655075284, api_et=1655071620.000000000, api_lt=1655075220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655071620.000000000, search_lt=1655075286.187003000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=201, considered_events=322288, total_slices=523295, decompressed_slices=77438, duration.command.search.index=2784, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22943, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=260295, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28027, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 23:07:46.321, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655075220_21009', total_run_time=5.24, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655075246, api_et=1655071620.000000000, api_lt=1655075220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655071620.000000000, search_lt=1655075248.321663000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1fda8052a4a2a2ae", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=629, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:44:20.044, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655073780_20542', total_run_time=21.34, event_count=0, result_count=0, available_count=0, scan_count=3130, drop_count=0, exec_time=1655073818, api_et=1655070180.000000000, api_lt=1655073780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655070180.000000000, search_lt=1655073820.109894000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eb48c593ac5128e1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=1, considered_events=3130, total_slices=772214, decompressed_slices=990, duration.command.search.index=1053, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4700, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:35:30.005, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655073180_20333', total_run_time=34.98, event_count=0, result_count=0, available_count=0, scan_count=39604281, drop_count=0, exec_time=1655073206, api_et=1655069580.000000000, api_lt=1655073180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655069580.000000000, search_lt=1655073207.914820000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ed3c8393b9d0519b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1834, eliminated_buckets=134, considered_events=39604281, total_slices=13934883, decompressed_slices=3860168, duration.command.search.index=13872, invocations.command.search.index.bucketcache.hit=1834, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215524, invocations.command.search.rawdata.bucketcache.hit=259, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:16:26.479, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655072160_19980', total_run_time=8.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655072170, api_et=1655067960.000000000, api_lt=1655071560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655068560.000000000, search_lt=1655072172.043401000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3204", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a069c7ce43206839", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1017, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=620, invocations.command.search.index.bucketcache.hit=1017, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:14:56.791, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655072040_19940', total_run_time=5.00, event_count=0, result_count=0, available_count=0, scan_count=10594, drop_count=0, exec_time=1655072063, api_et=1655068440.000000000, api_lt=1655072040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655068440.000000000, search_lt=1655072065.609672000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=289, considered_events=10647, total_slices=489884, decompressed_slices=1894, duration.command.search.index=944, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5427, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=53, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=154, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=37, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 22:11:26.802, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655071860_19873', total_run_time=5.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655071864, api_et=1655068260.000000000, api_lt=1655071860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655068260.000000000, search_lt=1655071866.581234000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2986", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b97f699a3b969d4a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=44, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:09:56.984, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655071740_19842', total_run_time=27.24, event_count=0, result_count=0, available_count=0, scan_count=3751985, drop_count=0, exec_time=1655071745, api_et=1655067540.000000000, api_lt=1655071140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655067540.000000000, search_lt=1655071140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2956", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7e76b6cb3547bb8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=764, eliminated_buckets=350, considered_events=3751985, total_slices=1143520, decompressed_slices=171380, duration.command.search.index=1622, invocations.command.search.index.bucketcache.hit=762, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29398, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=88, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 22:08:26.802, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655071620_19822', total_run_time=22.30, event_count=1117, result_count=54, available_count=0, scan_count=316091, drop_count=0, exec_time=1655071680, api_et=1655068020.000000000, api_lt=1655071620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655068020.000000000, search_lt=1655071682.362602000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=202, considered_events=322840, total_slices=558684, decompressed_slices=77388, duration.command.search.index=2846, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22375, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=262247, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27654, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 22:07:56.670, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655071620_19817', total_run_time=5.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655071645, api_et=1655068020.000000000, api_lt=1655071620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655068020.000000000, search_lt=1655071647.703080000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_31262727a5cadecf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=603, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:44:02.725, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655070180_19350', total_run_time=21.60, event_count=0, result_count=0, available_count=0, scan_count=3991, drop_count=0, exec_time=1655070218, api_et=1655066580.000000000, api_lt=1655070180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655066580.000000000, search_lt=1655070220.787317000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2990", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc688e963e023d8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3991, total_slices=854197, decompressed_slices=1115, duration.command.search.index=1058, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4910, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:35:48.100, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655069580_19144', total_run_time=34.39, event_count=0, result_count=0, available_count=0, scan_count=39661490, drop_count=0, exec_time=1655069605, api_et=1655065980.000000000, api_lt=1655069580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655065980.000000000, search_lt=1655069607.749721000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_77d2789f27a04d84", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1875, eliminated_buckets=134, considered_events=39661490, total_slices=14331690, decompressed_slices=3895340, duration.command.search.index=14012, invocations.command.search.index.bucketcache.hit=1872, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214878, invocations.command.search.rawdata.bucketcache.hit=292, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:16:24.599, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655068560_18805', total_run_time=9.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655068570, api_et=1655064360.000000000, api_lt=1655067960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064960.000000000, search_lt=1655068572.052303000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_df0ec3e00986ab74", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=754, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:14:54.659, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655068440_18765', total_run_time=4.18, event_count=0, result_count=0, available_count=0, scan_count=9970, drop_count=0, exec_time=1655068463, api_et=1655064840.000000000, api_lt=1655068440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064840.000000000, search_lt=1655068465.128936000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2843", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=293, considered_events=9970, total_slices=446877, decompressed_slices=1650, duration.command.search.index=957, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5355, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=64, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=182, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 21:11:24.456, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655068260_18698', total_run_time=5.49, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655068264, api_et=1655064660.000000000, api_lt=1655068260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064660.000000000, search_lt=1655068267.485377000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3507", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3644d8a78c8a3796", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:09:54.664, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655068140_18663', total_run_time=21.26, event_count=0, result_count=0, available_count=0, scan_count=3707998, drop_count=0, exec_time=1655068145, api_et=1655063940.000000000, api_lt=1655067540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655063940.000000000, search_lt=1655067540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3010", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_740f8bd635bdc58c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=361, considered_events=3707998, total_slices=1176396, decompressed_slices=166828, duration.command.search.index=1533, invocations.command.search.index.bucketcache.hit=772, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28369, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=95, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:08:24.458, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655068020_18644', total_run_time=23.53, event_count=1151, result_count=54, available_count=0, scan_count=324090, drop_count=0, exec_time=1655068080, api_et=1655064420.000000000, api_lt=1655068020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064420.000000000, search_lt=1655068082.259045000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=201, considered_events=330295, total_slices=624391, decompressed_slices=78380, duration.command.search.index=3011, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23251, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=270522, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 21:07:54.661, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655068020_18639', total_run_time=4.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655068046, api_et=1655064420.000000000, api_lt=1655068020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655064420.000000000, search_lt=1655068048.708736000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_09f7069c827f8a9e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=581, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 21:00:24.402, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067540_18447', total_run_time=12.28, event_count=0, result_count=0, available_count=0, scan_count=18988225, drop_count=0, exec_time=1655067590, api_et=1655053140.000000000, api_lt=1655067540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053140.000000000, search_lt=1655067540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3081", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18988225, total_slices=1512262, decompressed_slices=361072, duration.command.search.index=6324, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53385, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10701618, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:59:24.492, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067480_18434', total_run_time=12.31, event_count=0, result_count=0, available_count=0, scan_count=18989334, drop_count=0, exec_time=1655067529, api_et=1655053080.000000000, api_lt=1655067480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053080.000000000, search_lt=1655067480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18989334, total_slices=1510703, decompressed_slices=361008, duration.command.search.index=6696, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48678, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10700943, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:58:24.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067420_18418', total_run_time=11.94, event_count=0, result_count=0, available_count=0, scan_count=18992633, drop_count=0, exec_time=1655067469, api_et=1655053020.000000000, api_lt=1655067420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053020.000000000, search_lt=1655067420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18992633, total_slices=1509011, decompressed_slices=361076, duration.command.search.index=6527, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50797, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10700166, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:57:24.560, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067360_18401', total_run_time=11.77, event_count=0, result_count=0, available_count=0, scan_count=18995110, drop_count=0, exec_time=1655067409, api_et=1655052960.000000000, api_lt=1655067360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052960.000000000, search_lt=1655067360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2920", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18995110, total_slices=1507467, decompressed_slices=361039, duration.command.search.index=6463, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50722, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10700252, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:56:24.365, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067300_18390', total_run_time=11.68, event_count=0, result_count=0, available_count=0, scan_count=18996888, drop_count=0, exec_time=1655067349, api_et=1655052900.000000000, api_lt=1655067300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052900.000000000, search_lt=1655067300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2717", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18996888, total_slices=1505703, decompressed_slices=361027, duration.command.search.index=6369, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52455, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10700949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:55:24.568, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067240_18375', total_run_time=12.25, event_count=0, result_count=0, available_count=0, scan_count=19000214, drop_count=0, exec_time=1655067289, api_et=1655052840.000000000, api_lt=1655067240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052840.000000000, search_lt=1655067240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19000214, total_slices=1504288, decompressed_slices=361036, duration.command.search.index=6797, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49289, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10702023, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:54:12.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067180_18358', total_run_time=11.92, event_count=0, result_count=0, available_count=0, scan_count=19002780, drop_count=0, exec_time=1655067229, api_et=1655052780.000000000, api_lt=1655067180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052780.000000000, search_lt=1655067180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3169", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19002780, total_slices=1502639, decompressed_slices=361066, duration.command.search.index=6553, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49347, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10702029, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:53:24.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067120_18334', total_run_time=12.93, event_count=0, result_count=0, available_count=0, scan_count=19004825, drop_count=0, exec_time=1655067169, api_et=1655052720.000000000, api_lt=1655067120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052720.000000000, search_lt=1655067120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19004825, total_slices=1500968, decompressed_slices=360982, duration.command.search.index=6911, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50887, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10701538, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:52:24.926, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067060_18316', total_run_time=13.48, event_count=0, result_count=0, available_count=0, scan_count=19008606, drop_count=0, exec_time=1655067109, api_et=1655052660.000000000, api_lt=1655067060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052660.000000000, search_lt=1655067060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19008606, total_slices=1499444, decompressed_slices=360945, duration.command.search.index=7159, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52488, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10701341, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:51:10.796, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655067000_18293', total_run_time=13.38, event_count=0, result_count=0, available_count=0, scan_count=19013420, drop_count=0, exec_time=1655067049, api_et=1655052600.000000000, api_lt=1655067000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052600.000000000, search_lt=1655067000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19013420, total_slices=1497806, decompressed_slices=360858, duration.command.search.index=6888, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53948, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10702898, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:50:40.715, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066880_18249', total_run_time=12.84, event_count=0, result_count=0, available_count=0, scan_count=19021820, drop_count=0, exec_time=1655066929, api_et=1655052480.000000000, api_lt=1655066880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052480.000000000, search_lt=1655066880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19021820, total_slices=1494519, decompressed_slices=360849, duration.command.search.index=7293, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53218, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706564, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:50:40.304, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066940_18270', total_run_time=11.80, event_count=0, result_count=0, available_count=0, scan_count=19018557, drop_count=0, exec_time=1655066990, api_et=1655052540.000000000, api_lt=1655066940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052540.000000000, search_lt=1655066940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2830", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19018557, total_slices=1496108, decompressed_slices=360893, duration.command.search.index=7009, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50166, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:48:16.165, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066820_18232', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=19023739, drop_count=0, exec_time=1655066869, api_et=1655052420.000000000, api_lt=1655066820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052420.000000000, search_lt=1655066820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19023739, total_slices=1492812, decompressed_slices=360814, duration.command.search.index=6715, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52784, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:47:15.684, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066760_18211', total_run_time=11.66, event_count=0, result_count=0, available_count=0, scan_count=19027799, drop_count=0, exec_time=1655066809, api_et=1655052360.000000000, api_lt=1655066760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052360.000000000, search_lt=1655066760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2489", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19027799, total_slices=1491348, decompressed_slices=360919, duration.command.search.index=6514, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49923, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:46:15.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066700_18193', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=19034818, drop_count=0, exec_time=1655066749, api_et=1655052300.000000000, api_lt=1655066700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052300.000000000, search_lt=1655066700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19034818, total_slices=1489790, decompressed_slices=361005, duration.command.search.index=6377, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53438, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10708331, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:45:15.742, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066640_18171', total_run_time=11.57, event_count=0, result_count=0, available_count=0, scan_count=19035425, drop_count=0, exec_time=1655066689, api_et=1655052240.000000000, api_lt=1655066640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052240.000000000, search_lt=1655066640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19035425, total_slices=1488168, decompressed_slices=360896, duration.command.search.index=6508, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51727, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10707576, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:44:15.836, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655066580_18147', total_run_time=20.76, event_count=0, result_count=0, available_count=0, scan_count=3592, drop_count=0, exec_time=1655066618, api_et=1655062980.000000000, api_lt=1655066580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655062980.000000000, search_lt=1655066620.462990000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72d85b85b63597b0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3592, total_slices=923664, decompressed_slices=1162, duration.command.search.index=1002, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4831, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:44:15.797, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066580_18150', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=19039084, drop_count=0, exec_time=1655066629, api_et=1655052180.000000000, api_lt=1655066580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052180.000000000, search_lt=1655066580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3138", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19039084, total_slices=1486620, decompressed_slices=360839, duration.command.search.index=6378, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53668, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10707049, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:43:15.593, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066520_18122', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=19039843, drop_count=0, exec_time=1655066569, api_et=1655052120.000000000, api_lt=1655066520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052120.000000000, search_lt=1655066520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2544", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19039843, total_slices=1484907, decompressed_slices=360868, duration.command.search.index=7133, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50708, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10706297, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:42:15.755, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066460_18099', total_run_time=12.53, event_count=0, result_count=0, available_count=0, scan_count=19050904, drop_count=0, exec_time=1655066509, api_et=1655052060.000000000, api_lt=1655066460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052060.000000000, search_lt=1655066460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19050904, total_slices=1510145, decompressed_slices=361023, duration.command.search.index=6868, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51259, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10708170, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:41:05.665, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066400_18074', total_run_time=12.05, event_count=0, result_count=0, available_count=0, scan_count=19060191, drop_count=0, exec_time=1655066449, api_et=1655052000.000000000, api_lt=1655066400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052000.000000000, search_lt=1655066400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19060191, total_slices=1508667, decompressed_slices=361100, duration.command.search.index=6826, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54129, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10710019, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:40:45.754, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066280_18036', total_run_time=12.01, event_count=0, result_count=0, available_count=0, scan_count=19069546, drop_count=0, exec_time=1655066329, api_et=1655051880.000000000, api_lt=1655066280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051880.000000000, search_lt=1655066280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19069546, total_slices=1505372, decompressed_slices=361125, duration.command.search.index=6658, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51565, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10711823, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:40:44.964, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066340_18052', total_run_time=11.81, event_count=0, result_count=0, available_count=0, scan_count=19064721, drop_count=0, exec_time=1655066390, api_et=1655051940.000000000, api_lt=1655066340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051940.000000000, search_lt=1655066340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19064721, total_slices=1507028, decompressed_slices=361141, duration.command.search.index=6551, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51294, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10711481, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:38:26.775, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066220_18021', total_run_time=11.60, event_count=0, result_count=0, available_count=0, scan_count=19072006, drop_count=0, exec_time=1655066270, api_et=1655051820.000000000, api_lt=1655066220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051820.000000000, search_lt=1655066220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2545", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19072006, total_slices=1503728, decompressed_slices=361131, duration.command.search.index=6657, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52231, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10711655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:37:27.932, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066160_18006', total_run_time=13.75, event_count=0, result_count=0, available_count=0, scan_count=19075706, drop_count=0, exec_time=1655066210, api_et=1655051760.000000000, api_lt=1655066160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051760.000000000, search_lt=1655066160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2461", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19075706, total_slices=1502268, decompressed_slices=361159, duration.command.search.index=6921, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49500, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10712017, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:36:16.345, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066100_17996', total_run_time=11.47, event_count=0, result_count=0, available_count=0, scan_count=19078298, drop_count=0, exec_time=1655066150, api_et=1655051700.000000000, api_lt=1655066100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051700.000000000, search_lt=1655066100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=19078298, total_slices=1500631, decompressed_slices=361211, duration.command.search.index=6913, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47922, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10712897, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:35:54.638, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655065980_17927', total_run_time=35.46, event_count=0, result_count=0, available_count=0, scan_count=39621411, drop_count=0, exec_time=1655066006, api_et=1655062380.000000000, api_lt=1655065980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655062380.000000000, search_lt=1655066008.069529000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ec3df709e066e53", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1855, eliminated_buckets=134, considered_events=39621411, total_slices=14261373, decompressed_slices=3903732, duration.command.search.index=13899, invocations.command.search.index.bucketcache.hit=1853, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=217576, invocations.command.search.rawdata.bucketcache.hit=275, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:35:54.475, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655066040_17975', total_run_time=12.79, event_count=0, result_count=0, available_count=0, scan_count=19078992, drop_count=0, exec_time=1655066090, api_et=1655051640.000000000, api_lt=1655066040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051640.000000000, search_lt=1655066040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2869", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19078992, total_slices=1499012, decompressed_slices=361150, duration.command.search.index=7160, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51032, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10712616, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:35:54.384, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065980_17939', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=19082256, drop_count=0, exec_time=1655066029, api_et=1655051580.000000000, api_lt=1655065980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051580.000000000, search_lt=1655065980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19082256, total_slices=1497360, decompressed_slices=361125, duration.command.search.index=7990, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59462, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10713327, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:33:12.697, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065920_17902', total_run_time=15.07, event_count=0, result_count=0, available_count=0, scan_count=19084286, drop_count=0, exec_time=1655065969, api_et=1655051520.000000000, api_lt=1655065920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051520.000000000, search_lt=1655065920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19084286, total_slices=1495762, decompressed_slices=361147, duration.command.search.index=7792, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58838, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10712899, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:32:13.201, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065860_17873', total_run_time=13.40, event_count=0, result_count=0, available_count=0, scan_count=19087630, drop_count=0, exec_time=1655065909, api_et=1655051460.000000000, api_lt=1655065860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051460.000000000, search_lt=1655065860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3029", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19087630, total_slices=1494224, decompressed_slices=361281, duration.command.search.index=7428, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55568, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10713686, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:31:12.627, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065800_17845', total_run_time=14.95, event_count=0, result_count=0, available_count=0, scan_count=19093552, drop_count=0, exec_time=1655065849, api_et=1655051400.000000000, api_lt=1655065800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051400.000000000, search_lt=1655065800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19093552, total_slices=1492668, decompressed_slices=361329, duration.command.search.index=7373, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57174, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10717925, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:30:14.418, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065680_17803', total_run_time=11.74, event_count=0, result_count=0, available_count=0, scan_count=19100966, drop_count=0, exec_time=1655065730, api_et=1655051280.000000000, api_lt=1655065680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051280.000000000, search_lt=1655065680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19100966, total_slices=1489405, decompressed_slices=361388, duration.command.search.index=6601, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50873, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10722168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:30:14.018, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065740_17816', total_run_time=11.46, event_count=0, result_count=0, available_count=0, scan_count=19097287, drop_count=0, exec_time=1655065789, api_et=1655051340.000000000, api_lt=1655065740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051340.000000000, search_lt=1655065740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19097287, total_slices=1490977, decompressed_slices=361400, duration.command.search.index=6565, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51991, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10721405, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:28:26.837, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065620_17788', total_run_time=11.61, event_count=0, result_count=0, available_count=0, scan_count=19106918, drop_count=0, exec_time=1655065669, api_et=1655051220.000000000, api_lt=1655065620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051220.000000000, search_lt=1655065620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2487", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=19106918, total_slices=1487750, decompressed_slices=361372, duration.command.search.index=6747, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49989, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10725353, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:27:26.782, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065560_17770', total_run_time=11.08, event_count=0, result_count=0, available_count=0, scan_count=19112699, drop_count=0, exec_time=1655065609, api_et=1655051160.000000000, api_lt=1655065560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051160.000000000, search_lt=1655065560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2550", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=19112699, total_slices=1486120, decompressed_slices=361533, duration.command.search.index=6518, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51552, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10727481, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:26:18.730, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065500_17754', total_run_time=12.88, event_count=0, result_count=0, available_count=0, scan_count=19120984, drop_count=0, exec_time=1655065549, api_et=1655051100.000000000, api_lt=1655065500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051100.000000000, search_lt=1655065500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3512", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=19120984, total_slices=1484628, decompressed_slices=361609, duration.command.search.index=6546, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49414, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10729554, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:26:02.019, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065380_17722', total_run_time=11.94, event_count=0, result_count=0, available_count=0, scan_count=19130785, drop_count=0, exec_time=1655065429, api_et=1655050980.000000000, api_lt=1655065380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050980.000000000, search_lt=1655065380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19130785, total_slices=1508336, decompressed_slices=361581, duration.command.search.index=6654, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48592, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10732054, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:26:01.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065440_17741', total_run_time=11.72, event_count=0, result_count=0, available_count=0, scan_count=19124554, drop_count=0, exec_time=1655065490, api_et=1655051040.000000000, api_lt=1655065440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051040.000000000, search_lt=1655065440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=19124554, total_slices=1483009, decompressed_slices=361620, duration.command.search.index=6624, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48760, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10730449, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:23:05.616, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065320_17689', total_run_time=13.03, event_count=0, result_count=0, available_count=0, scan_count=19136161, drop_count=0, exec_time=1655065369, api_et=1655050920.000000000, api_lt=1655065320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050920.000000000, search_lt=1655065320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19136161, total_slices=1506724, decompressed_slices=361607, duration.command.search.index=6712, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52203, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10733660, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:22:23.049, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065200_17645', total_run_time=12.36, event_count=0, result_count=0, available_count=0, scan_count=19146000, drop_count=0, exec_time=1655065249, api_et=1655050800.000000000, api_lt=1655065200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050800.000000000, search_lt=1655065200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19146000, total_slices=1525102, decompressed_slices=361750, duration.command.search.index=6793, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48240, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10735775, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:22:22.016, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065140_17622', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=19148181, drop_count=0, exec_time=1655065189, api_et=1655050740.000000000, api_lt=1655065140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050740.000000000, search_lt=1655065140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19148181, total_slices=1523453, decompressed_slices=361793, duration.command.search.index=6886, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50469, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10737793, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:22:21.377, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065080_17596', total_run_time=14.46, event_count=0, result_count=0, available_count=0, scan_count=19154601, drop_count=0, exec_time=1655065129, api_et=1655050680.000000000, api_lt=1655065080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050680.000000000, search_lt=1655065080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19154601, total_slices=1521190, decompressed_slices=361800, duration.command.search.index=7406, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55484, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10740397, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:22:21.134, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065260_17672', total_run_time=12.17, event_count=0, result_count=0, available_count=0, scan_count=19141574, drop_count=0, exec_time=1655065309, api_et=1655050860.000000000, api_lt=1655065260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050860.000000000, search_lt=1655065260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19141574, total_slices=1505147, decompressed_slices=361701, duration.command.search.index=6779, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51601, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10734151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:18:11.156, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655065020_17575', total_run_time=14.22, event_count=0, result_count=0, available_count=0, scan_count=19159762, drop_count=0, exec_time=1655065069, api_et=1655050620.000000000, api_lt=1655065020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050620.000000000, search_lt=1655065020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19159762, total_slices=1520252, decompressed_slices=361853, duration.command.search.index=7118, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50037, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10743913, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:17:09.875, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064960_17552', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=19165184, drop_count=0, exec_time=1655065009, api_et=1655050560.000000000, api_lt=1655064960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050560.000000000, search_lt=1655064960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19165184, total_slices=1518681, decompressed_slices=362005, duration.command.search.index=7355, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50043, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10746096, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:16:39.834, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655064960_17546', total_run_time=10.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655064970, api_et=1655060760.000000000, api_lt=1655064360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655061360.000000000, search_lt=1655064972.574897000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c186be52ae9dbd1a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=801, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:16:10.019, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064900_17535', total_run_time=11.91, event_count=0, result_count=0, available_count=0, scan_count=19170789, drop_count=0, exec_time=1655064949, api_et=1655050500.000000000, api_lt=1655064900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050500.000000000, search_lt=1655064900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2321", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19170789, total_slices=1516990, decompressed_slices=362078, duration.command.search.index=6855, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52888, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10749969, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:15:09.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064840_17516', total_run_time=12.00, event_count=0, result_count=0, available_count=0, scan_count=19175462, drop_count=0, exec_time=1655064890, api_et=1655050440.000000000, api_lt=1655064840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050440.000000000, search_lt=1655064840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19175462, total_slices=1515445, decompressed_slices=362074, duration.command.search.index=6553, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53453, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10754031, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:14:39.919, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655064840_17502', total_run_time=4.88, event_count=0, result_count=0, available_count=0, scan_count=14058, drop_count=0, exec_time=1655064862, api_et=1655061240.000000000, api_lt=1655064840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655061240.000000000, search_lt=1655064864.791932000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=289, considered_events=14365, total_slices=435200, decompressed_slices=2775, duration.command.search.index=1067, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5718, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=165, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=333, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 20:14:10.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064780_17492', total_run_time=12.19, event_count=0, result_count=0, available_count=0, scan_count=19181171, drop_count=0, exec_time=1655064829, api_et=1655050380.000000000, api_lt=1655064780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050380.000000000, search_lt=1655064780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19181171, total_slices=1513846, decompressed_slices=362064, duration.command.search.index=6488, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53523, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10756435, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:13:10.082, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064720_17465', total_run_time=11.98, event_count=0, result_count=0, available_count=0, scan_count=19184615, drop_count=0, exec_time=1655064769, api_et=1655050320.000000000, api_lt=1655064720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050320.000000000, search_lt=1655064720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19184615, total_slices=1512175, decompressed_slices=362057, duration.command.search.index=6846, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52039, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10759537, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:12:09.966, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064660_17447', total_run_time=12.72, event_count=0, result_count=0, available_count=0, scan_count=19189107, drop_count=0, exec_time=1655064709, api_et=1655050260.000000000, api_lt=1655064660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050260.000000000, search_lt=1655064660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3188", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19189107, total_slices=1510661, decompressed_slices=362165, duration.command.search.index=6810, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51730, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10762134, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:11:09.976, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064600_17422', total_run_time=12.59, event_count=0, result_count=0, available_count=0, scan_count=19196363, drop_count=0, exec_time=1655064649, api_et=1655050200.000000000, api_lt=1655064600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050200.000000000, search_lt=1655064600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2552", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19196363, total_slices=1509167, decompressed_slices=362250, duration.command.search.index=6898, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50919, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10764831, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:11:09.940, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655064660_17429', total_run_time=4.78, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655064664, api_et=1655061060.000000000, api_lt=1655064660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655061060.000000000, search_lt=1655064666.076560000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d59e06822159b241", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:10:06.718, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064540_17403', total_run_time=12.13, event_count=0, result_count=0, available_count=0, scan_count=19200256, drop_count=0, exec_time=1655064588, api_et=1655050140.000000000, api_lt=1655064540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050140.000000000, search_lt=1655064540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2232", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19200256, total_slices=1534386, decompressed_slices=362256, duration.command.search.index=7256, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51313, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10766225, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:10:06.613, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655064420_17379', total_run_time=22.62, event_count=1083, result_count=54, available_count=0, scan_count=307807, drop_count=0, exec_time=1655064484, api_et=1655060820.000000000, api_lt=1655064420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655060820.000000000, search_lt=1655064486.097986000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=314572, total_slices=642915, decompressed_slices=76946, duration.command.search.index=2648, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22276, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=253548, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25931, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 20:10:06.582, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064480_17387', total_run_time=11.67, event_count=0, result_count=0, available_count=0, scan_count=19203641, drop_count=0, exec_time=1655064529, api_et=1655050080.000000000, api_lt=1655064480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050080.000000000, search_lt=1655064480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=1, considered_events=19203641, total_slices=1532702, decompressed_slices=362290, duration.command.search.index=6828, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51601, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10766649, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:10:06.460, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655064540_17395', total_run_time=23.08, event_count=0, result_count=0, available_count=0, scan_count=3711626, drop_count=0, exec_time=1655064545, api_et=1655060340.000000000, api_lt=1655063940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655060340.000000000, search_lt=1655063940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2980", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c185fce63afb4e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=777, eliminated_buckets=365, considered_events=3711626, total_slices=1174595, decompressed_slices=167897, duration.command.search.index=1555, invocations.command.search.index.bucketcache.hit=776, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28489, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=98, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:08:20.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064420_17370', total_run_time=11.96, event_count=0, result_count=0, available_count=0, scan_count=19203608, drop_count=0, exec_time=1655064469, api_et=1655050020.000000000, api_lt=1655064420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050020.000000000, search_lt=1655064420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19203608, total_slices=1531128, decompressed_slices=362410, duration.command.search.index=6935, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50736, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10764415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:07:50.663, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655064420_17365', total_run_time=5.85, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655064446, api_et=1655060820.000000000, api_lt=1655064420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655060820.000000000, search_lt=1655064448.680296000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_caa41658789b4af6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=677, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 20:07:21.513, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064360_17350', total_run_time=12.52, event_count=0, result_count=0, available_count=0, scan_count=19205020, drop_count=0, exec_time=1655064410, api_et=1655049960.000000000, api_lt=1655064360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049960.000000000, search_lt=1655064360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19205020, total_slices=1529648, decompressed_slices=362532, duration.command.search.index=7080, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53588, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10763833, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:06:05.923, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064300_17336', total_run_time=13.52, event_count=0, result_count=0, available_count=0, scan_count=19206865, drop_count=0, exec_time=1655064350, api_et=1655049900.000000000, api_lt=1655064300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049900.000000000, search_lt=1655064300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19206865, total_slices=1528086, decompressed_slices=362483, duration.command.search.index=6727, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53387, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10763327, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:05:37.074, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064240_17319', total_run_time=14.61, event_count=0, result_count=0, available_count=0, scan_count=19207063, drop_count=0, exec_time=1655064290, api_et=1655049840.000000000, api_lt=1655064240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049840.000000000, search_lt=1655064240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19207063, total_slices=1526423, decompressed_slices=362339, duration.command.search.index=7874, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59125, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10762234, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:05:36.329, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064180_17278', total_run_time=15.67, event_count=0, result_count=0, available_count=0, scan_count=19208903, drop_count=0, exec_time=1655064229, api_et=1655049780.000000000, api_lt=1655064180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049780.000000000, search_lt=1655064180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2717", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19208903, total_slices=1524700, decompressed_slices=362336, duration.command.search.index=8312, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65058, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10760637, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:03:19.792, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064120_17232', total_run_time=15.24, event_count=0, result_count=0, available_count=0, scan_count=19208276, drop_count=0, exec_time=1655064169, api_et=1655049720.000000000, api_lt=1655064120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049720.000000000, search_lt=1655064120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19208276, total_slices=1522984, decompressed_slices=362284, duration.command.search.index=8056, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60421, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10757481, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:02:19.745, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064060_17202', total_run_time=14.09, event_count=0, result_count=0, available_count=0, scan_count=19210196, drop_count=0, exec_time=1655064109, api_et=1655049660.000000000, api_lt=1655064060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049660.000000000, search_lt=1655064060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2517", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19210196, total_slices=1521367, decompressed_slices=362276, duration.command.search.index=7892, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59827, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10755421, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 20:01:20.044, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655064000_17171', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=19209852, drop_count=0, exec_time=1655064049, api_et=1655049600.000000000, api_lt=1655064000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049600.000000000, search_lt=1655064000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=19209852, total_slices=1519717, decompressed_slices=362196, duration.command.search.index=8338, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61631, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10753153, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 19:44:01.728, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655062980_16885', total_run_time=21.39, event_count=0, result_count=0, available_count=0, scan_count=4351, drop_count=0, exec_time=1655063018, api_et=1655059380.000000000, api_lt=1655062980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655059380.000000000, search_lt=1655063020.518996000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a6d25741ddfce185", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=4351, total_slices=927718, decompressed_slices=1187, duration.command.search.index=1060, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4640, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 19:35:48.288, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655062380_16679', total_run_time=34.39, event_count=0, result_count=0, available_count=0, scan_count=39597148, drop_count=0, exec_time=1655062405, api_et=1655058780.000000000, api_lt=1655062380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655058780.000000000, search_lt=1655062407.119729000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3373", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_106521c996057b75", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1844, eliminated_buckets=134, considered_events=39597148, total_slices=14012883, decompressed_slices=3885502, duration.command.search.index=13943, invocations.command.search.index.bucketcache.hit=1842, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215132, invocations.command.search.rawdata.bucketcache.hit=259, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 19:16:25.257, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655061360_16339', total_run_time=7.68, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655061371, api_et=1655057160.000000000, api_lt=1655060760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655057760.000000000, search_lt=1655061373.106768000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3210", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2fd669d2cc03f290", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1014, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=626, invocations.command.search.index.bucketcache.hit=1014, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 19:14:55.190, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655061240_16299', total_run_time=4.37, event_count=0, result_count=0, available_count=0, scan_count=11254, drop_count=0, exec_time=1655061263, api_et=1655057640.000000000, api_lt=1655061240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655057640.000000000, search_lt=1655061265.103568000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=289, considered_events=11269, total_slices=379563, decompressed_slices=2021, duration.command.search.index=973, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5483, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=64, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=194, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=203, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 19:11:25.113, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655061060_16232', total_run_time=4.80, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655061064, api_et=1655057460.000000000, api_lt=1655061060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655057460.000000000, search_lt=1655061066.127431000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_374c1539356ac098", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=43, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 19:09:25.237, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655060940_16201', total_run_time=18.29, event_count=0, result_count=0, available_count=0, scan_count=3716937, drop_count=0, exec_time=1655060945, api_et=1655056740.000000000, api_lt=1655060340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655056740.000000000, search_lt=1655060340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2934", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_659a2418987c5f7a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=779, eliminated_buckets=363, considered_events=3716937, total_slices=1189646, decompressed_slices=167213, duration.command.search.index=1524, invocations.command.search.index.bucketcache.hit=778, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27231, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=110, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 19:08:25.284, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655060820_16182', total_run_time=19.96, event_count=1098, result_count=54, available_count=0, scan_count=331081, drop_count=0, exec_time=1655060880, api_et=1655057220.000000000, api_lt=1655060820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655057220.000000000, search_lt=1655060882.255934000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=337669, total_slices=663753, decompressed_slices=80126, duration.command.search.index=2893, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23174, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=276595, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 19:07:55.058, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655060820_16177', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655060846, api_et=1655057220.000000000, api_lt=1655060820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655057220.000000000, search_lt=1655060848.857691000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3099", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d1529f38ec8fc6c8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=624, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:44:53.394, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655059380_15702', total_run_time=21.37, event_count=0, result_count=0, available_count=0, scan_count=3493, drop_count=0, exec_time=1655059418, api_et=1655055780.000000000, api_lt=1655059380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655055780.000000000, search_lt=1655059420.850575000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2919", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f8f5c061b97fa118", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=1, considered_events=3493, total_slices=956013, decompressed_slices=928, duration.command.search.index=1075, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4880, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:35:40.425, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655058780_15491', total_run_time=35.48, event_count=0, result_count=0, available_count=0, scan_count=39749710, drop_count=0, exec_time=1655058805, api_et=1655055180.000000000, api_lt=1655058780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655055180.000000000, search_lt=1655058807.173009000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0860bff758e5030", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1860, eliminated_buckets=134, considered_events=39749710, total_slices=14013602, decompressed_slices=3872610, duration.command.search.index=13941, invocations.command.search.index.bucketcache.hit=1859, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215902, invocations.command.search.rawdata.bucketcache.hit=273, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:16:30.758, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655057760_15137', total_run_time=7.79, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655057770, api_et=1655053560.000000000, api_lt=1655057160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655054160.000000000, search_lt=1655057772.609512000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fcb171a402678213", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=616, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:15:00.157, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655057640_15097', total_run_time=4.43, event_count=0, result_count=0, available_count=0, scan_count=10518, drop_count=0, exec_time=1655057663, api_et=1655054040.000000000, api_lt=1655057640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655054040.000000000, search_lt=1655057665.198412000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=287, considered_events=10756, total_slices=389910, decompressed_slices=1918, duration.command.search.index=925, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5423, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=68, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=196, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 18:11:12.838, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655057460_15029', total_run_time=5.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655057464, api_et=1655053860.000000000, api_lt=1655057460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053860.000000000, search_lt=1655057467.426797000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3490", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb1b65537e5b8c64", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:09:42.820, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655057340_14995', total_run_time=28.61, event_count=0, result_count=0, available_count=0, scan_count=3688454, drop_count=0, exec_time=1655057345, api_et=1655053140.000000000, api_lt=1655056740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053140.000000000, search_lt=1655056740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3024", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_04cbfc5ef9befd8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=778, eliminated_buckets=362, considered_events=3688454, total_slices=1111999, decompressed_slices=167618, duration.command.search.index=1546, invocations.command.search.index.bucketcache.hit=775, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27505, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=92, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 18:08:42.803, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655057220_14974', total_run_time=15.32, event_count=1127, result_count=54, available_count=0, scan_count=314228, drop_count=0, exec_time=1655057280, api_et=1655053620.000000000, api_lt=1655057220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053620.000000000, search_lt=1655057281.974349000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=203, considered_events=321290, total_slices=602505, decompressed_slices=73993, duration.command.search.index=2720, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21732, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=256623, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27607, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 18:07:42.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655057220_14969', total_run_time=5.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655057246, api_et=1655053620.000000000, api_lt=1655057220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655053620.000000000, search_lt=1655057248.329405000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fa96ee386dee4d14", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=625, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:44:27.697, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655055780_14502', total_run_time=22.77, event_count=0, result_count=0, available_count=0, scan_count=3249, drop_count=0, exec_time=1655055817, api_et=1655052180.000000000, api_lt=1655055780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655052180.000000000, search_lt=1655055819.888655000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5ab862d298a782d1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=1, considered_events=3249, total_slices=1029303, decompressed_slices=821, duration.command.search.index=1035, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5018, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:36:03.329, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655055180_14298', total_run_time=36.62, event_count=0, result_count=0, available_count=0, scan_count=39683657, drop_count=0, exec_time=1655055206, api_et=1655051580.000000000, api_lt=1655055180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655051580.000000000, search_lt=1655055208.093858000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3902", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_db270f094d1679ef", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1875, eliminated_buckets=134, considered_events=39683657, total_slices=14100434, decompressed_slices=3879658, duration.command.search.index=13615, invocations.command.search.index.bucketcache.hit=1875, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=219254, invocations.command.search.rawdata.bucketcache.hit=285, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:16:23.334, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655054160_13956', total_run_time=8.00, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655054170, api_et=1655049960.000000000, api_lt=1655053560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050560.000000000, search_lt=1655054172.524495000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3240", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c399b973cb92f43", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=616, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:14:40.060, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655054040_13915', total_run_time=4.24, event_count=0, result_count=0, available_count=0, scan_count=12491, drop_count=0, exec_time=1655054063, api_et=1655050440.000000000, api_lt=1655054040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050440.000000000, search_lt=1655054065.321757000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=286, considered_events=12568, total_slices=424571, decompressed_slices=2079, duration.command.search.index=910, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5333, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=37, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=50, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=124, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=25, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 17:11:23.259, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655053860_13849', total_run_time=4.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655053864, api_et=1655050260.000000000, api_lt=1655053860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050260.000000000, search_lt=1655053866.627797000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_699c0ef86b971af0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=43, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:09:39.657, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655053740_13818', total_run_time=22.07, event_count=0, result_count=0, available_count=0, scan_count=3687894, drop_count=0, exec_time=1655053745, api_et=1655049540.000000000, api_lt=1655053140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655049540.000000000, search_lt=1655053140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3004", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_87c984794e5a7f53", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=783, eliminated_buckets=360, considered_events=3687894, total_slices=1067541, decompressed_slices=168790, duration.command.search.index=1564, invocations.command.search.index.bucketcache.hit=778, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28424, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=191, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:08:23.172, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655053620_13799', total_run_time=16.23, event_count=1187, result_count=60, available_count=0, scan_count=327863, drop_count=0, exec_time=1655053680, api_et=1655050020.000000000, api_lt=1655053620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050020.000000000, search_lt=1655053682.276322000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2802", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=205, considered_events=335445, total_slices=571101, decompressed_slices=83742, duration.command.search.index=2799, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23743, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=270432, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28183, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 17:07:53.189, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655053620_13793', total_run_time=5.11, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1655053646, api_et=1655050020.000000000, api_lt=1655053620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655050020.000000000, search_lt=1655053648.609296000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_140bed2d3fce5985", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=205, considered_events=2, total_slices=19892, decompressed_slices=2, duration.command.search.index=680, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=256, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 17:00:27.396, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655053140_13604', total_run_time=13.15, event_count=0, result_count=0, available_count=0, scan_count=18911575, drop_count=0, exec_time=1655053190, api_et=1655038740.000000000, api_lt=1655053140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038740.000000000, search_lt=1655053140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18911575, total_slices=1577121, decompressed_slices=357073, duration.command.search.index=6551, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53291, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340301, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:59:27.051, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655053080_13591', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=18908477, drop_count=0, exec_time=1655053130, api_et=1655038680.000000000, api_lt=1655053080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038680.000000000, search_lt=1655053080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18908477, total_slices=1602444, decompressed_slices=357049, duration.command.search.index=6438, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51546, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10339094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:58:27.016, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655053020_13574', total_run_time=14.11, event_count=0, result_count=0, available_count=0, scan_count=18906065, drop_count=0, exec_time=1655053069, api_et=1655038620.000000000, api_lt=1655053020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038620.000000000, search_lt=1655053020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18906065, total_slices=1600879, decompressed_slices=357035, duration.command.search.index=7208, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51773, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340075, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:57:27.197, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052960_13555', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18905445, drop_count=0, exec_time=1655053009, api_et=1655038560.000000000, api_lt=1655052960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038560.000000000, search_lt=1655052960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2563", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18905445, total_slices=1599287, decompressed_slices=357082, duration.command.search.index=6756, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52489, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340892, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:56:26.998, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052900_13544', total_run_time=17.16, event_count=0, result_count=0, available_count=0, scan_count=18904281, drop_count=0, exec_time=1655052949, api_et=1655038500.000000000, api_lt=1655052900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038500.000000000, search_lt=1655052900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3148", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18904281, total_slices=1597677, decompressed_slices=357006, duration.command.search.index=8329, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54110, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340213, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:55:27.067, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052840_13528', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=18906323, drop_count=0, exec_time=1655052890, api_et=1655038440.000000000, api_lt=1655052840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038440.000000000, search_lt=1655052840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18906323, total_slices=1596094, decompressed_slices=357049, duration.command.search.index=6852, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47905, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341361, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:54:27.269, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052780_13511', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=18905843, drop_count=0, exec_time=1655052829, api_et=1655038380.000000000, api_lt=1655052780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038380.000000000, search_lt=1655052780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18905843, total_slices=1594474, decompressed_slices=357085, duration.command.search.index=6897, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49243, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341642, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:53:27.308, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052720_13486', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=18905004, drop_count=0, exec_time=1655052769, api_et=1655038320.000000000, api_lt=1655052720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038320.000000000, search_lt=1655052720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18905004, total_slices=1592747, decompressed_slices=357147, duration.command.search.index=7170, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51312, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10343149, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:52:26.953, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052660_13469', total_run_time=12.25, event_count=0, result_count=0, available_count=0, scan_count=18903701, drop_count=0, exec_time=1655052709, api_et=1655038260.000000000, api_lt=1655052660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038260.000000000, search_lt=1655052660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18903701, total_slices=1591319, decompressed_slices=357121, duration.command.search.index=7287, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50268, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10342647, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:51:27.190, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052600_13445', total_run_time=12.55, event_count=0, result_count=0, available_count=0, scan_count=18904068, drop_count=0, exec_time=1655052649, api_et=1655038200.000000000, api_lt=1655052600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038200.000000000, search_lt=1655052600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18904068, total_slices=1589653, decompressed_slices=357043, duration.command.search.index=7221, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52466, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341723, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:50:13.352, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052540_13422', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18900035, drop_count=0, exec_time=1655052589, api_et=1655038140.000000000, api_lt=1655052540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038140.000000000, search_lt=1655052540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18900035, total_slices=1588087, decompressed_slices=357018, duration.command.search.index=7307, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49361, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:49:45.869, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052480_13399', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18898860, drop_count=0, exec_time=1655052529, api_et=1655038080.000000000, api_lt=1655052480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038080.000000000, search_lt=1655052480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18898860, total_slices=1586549, decompressed_slices=357060, duration.command.search.index=7302, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50138, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10338263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:49:45.436, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052420_13382', total_run_time=11.87, event_count=0, result_count=0, available_count=0, scan_count=18898942, drop_count=0, exec_time=1655052469, api_et=1655038020.000000000, api_lt=1655052420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038020.000000000, search_lt=1655052420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18898942, total_slices=1584927, decompressed_slices=357042, duration.command.search.index=7093, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51597, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10338800, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:47:30.753, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052360_13360', total_run_time=11.78, event_count=0, result_count=0, available_count=0, scan_count=18901087, drop_count=0, exec_time=1655052409, api_et=1655037960.000000000, api_lt=1655052360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037960.000000000, search_lt=1655052360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2530", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18901087, total_slices=1583346, decompressed_slices=357051, duration.command.search.index=6773, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49127, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:46:30.659, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052300_13342', total_run_time=12.07, event_count=0, result_count=0, available_count=0, scan_count=18897192, drop_count=0, exec_time=1655052349, api_et=1655037900.000000000, api_lt=1655052300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037900.000000000, search_lt=1655052300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2590", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18897192, total_slices=1581727, decompressed_slices=357018, duration.command.search.index=6580, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52077, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10338892, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:45:30.565, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052240_13320', total_run_time=12.04, event_count=0, result_count=0, available_count=0, scan_count=18897114, drop_count=0, exec_time=1655052289, api_et=1655037840.000000000, api_lt=1655052240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037840.000000000, search_lt=1655052240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18897114, total_slices=1580144, decompressed_slices=357032, duration.command.search.index=6689, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51899, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10339277, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:44:30.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052180_13299', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=18895545, drop_count=0, exec_time=1655052229, api_et=1655037780.000000000, api_lt=1655052180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037780.000000000, search_lt=1655052180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3091", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18895545, total_slices=1578537, decompressed_slices=357080, duration.command.search.index=6682, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53149, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10339910, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:44:00.578, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655052180_13296', total_run_time=21.56, event_count=0, result_count=0, available_count=0, scan_count=3589, drop_count=0, exec_time=1655052218, api_et=1655048580.000000000, api_lt=1655052180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655048580.000000000, search_lt=1655052220.809554000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8f792529bd17fc96", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3589, total_slices=1097631, decompressed_slices=994, duration.command.search.index=1098, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4799, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:43:30.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052120_13270', total_run_time=12.74, event_count=0, result_count=0, available_count=0, scan_count=18895156, drop_count=0, exec_time=1655052169, api_et=1655037720.000000000, api_lt=1655052120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037720.000000000, search_lt=1655052120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18895156, total_slices=1576969, decompressed_slices=357092, duration.command.search.index=6818, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51813, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341088, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:42:30.352, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052060_13247', total_run_time=12.80, event_count=0, result_count=0, available_count=0, scan_count=18887432, drop_count=0, exec_time=1655052109, api_et=1655037660.000000000, api_lt=1655052060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037660.000000000, search_lt=1655052060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18887432, total_slices=1575400, decompressed_slices=357132, duration.command.search.index=7184, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52472, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10338785, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:41:31.214, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655052000_13222', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=18881824, drop_count=0, exec_time=1655052049, api_et=1655037600.000000000, api_lt=1655052000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037600.000000000, search_lt=1655052000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18881824, total_slices=1573821, decompressed_slices=357049, duration.command.search.index=6887, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52499, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337141, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:40:20.324, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051940_13200', total_run_time=12.24, event_count=0, result_count=0, available_count=0, scan_count=18877741, drop_count=0, exec_time=1655051989, api_et=1655037540.000000000, api_lt=1655051940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037540.000000000, search_lt=1655051940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18877741, total_slices=1572070, decompressed_slices=356966, duration.command.search.index=6751, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49118, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10334871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:39:58.339, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051880_13184', total_run_time=12.50, event_count=0, result_count=0, available_count=0, scan_count=18870229, drop_count=0, exec_time=1655051930, api_et=1655037480.000000000, api_lt=1655051880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037480.000000000, search_lt=1655051880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18870229, total_slices=1570497, decompressed_slices=356936, duration.command.search.index=6926, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47958, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10330218, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:38:22.348, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051820_13169', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=18868195, drop_count=0, exec_time=1655051870, api_et=1655037420.000000000, api_lt=1655051820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037420.000000000, search_lt=1655051820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18868195, total_slices=1568795, decompressed_slices=356906, duration.command.search.index=6773, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49953, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10329694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:37:23.165, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051760_13154', total_run_time=12.70, event_count=0, result_count=0, available_count=0, scan_count=18865604, drop_count=0, exec_time=1655051810, api_et=1655037360.000000000, api_lt=1655051760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037360.000000000, search_lt=1655051760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2581", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18865604, total_slices=1567295, decompressed_slices=356893, duration.command.search.index=6695, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52349, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10328471, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:36:10.239, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051700_13144', total_run_time=11.69, event_count=0, result_count=0, available_count=0, scan_count=18859886, drop_count=0, exec_time=1655051749, api_et=1655037300.000000000, api_lt=1655051700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037300.000000000, search_lt=1655051700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2212", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18859886, total_slices=1565663, decompressed_slices=356792, duration.command.search.index=6691, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50516, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10324835, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:35:47.249, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655051580_13073', total_run_time=45.51, event_count=0, result_count=0, available_count=0, scan_count=39518211, drop_count=0, exec_time=1655051605, api_et=1655047980.000000000, api_lt=1655051580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655047980.000000000, search_lt=1655051607.650932000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_40b558cf6b0d9a5b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1857, eliminated_buckets=134, considered_events=39518211, total_slices=14032531, decompressed_slices=3875774, duration.command.search.index=14288, invocations.command.search.index.bucketcache.hit=1856, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223452, invocations.command.search.rawdata.bucketcache.hit=268, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:35:46.273, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051640_13123', total_run_time=14.28, event_count=0, result_count=0, available_count=0, scan_count=18856443, drop_count=0, exec_time=1655051690, api_et=1655037240.000000000, api_lt=1655051640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037240.000000000, search_lt=1655051640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18856443, total_slices=1564052, decompressed_slices=356752, duration.command.search.index=7349, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52199, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10322454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:35:45.937, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051580_13087', total_run_time=15.36, event_count=0, result_count=0, available_count=0, scan_count=18851317, drop_count=0, exec_time=1655051630, api_et=1655037180.000000000, api_lt=1655051580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037180.000000000, search_lt=1655051580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18851317, total_slices=1562328, decompressed_slices=356793, duration.command.search.index=8309, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59567, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10318524, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:33:09.398, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051520_13050', total_run_time=16.58, event_count=0, result_count=0, available_count=0, scan_count=18846127, drop_count=0, exec_time=1655051569, api_et=1655037120.000000000, api_lt=1655051520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037120.000000000, search_lt=1655051520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3116", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18846127, total_slices=1560858, decompressed_slices=356725, duration.command.search.index=7528, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55484, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10315738, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:32:09.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051460_13021', total_run_time=15.97, event_count=0, result_count=0, available_count=0, scan_count=18841165, drop_count=0, exec_time=1655051509, api_et=1655037060.000000000, api_lt=1655051460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037060.000000000, search_lt=1655051460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3165", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18841165, total_slices=1559279, decompressed_slices=356692, duration.command.search.index=8245, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64022, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10312419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:31:09.324, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051400_12993', total_run_time=16.31, event_count=0, result_count=0, available_count=0, scan_count=18836085, drop_count=0, exec_time=1655051450, api_et=1655037000.000000000, api_lt=1655051400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037000.000000000, search_lt=1655051400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18836085, total_slices=1557650, decompressed_slices=356652, duration.command.search.index=7925, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62111, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10306878, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:30:24.719, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051340_12964', total_run_time=12.07, event_count=0, result_count=0, available_count=0, scan_count=18834507, drop_count=0, exec_time=1655051389, api_et=1655036940.000000000, api_lt=1655051340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036940.000000000, search_lt=1655051340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18834507, total_slices=1555989, decompressed_slices=356659, duration.command.search.index=6703, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51058, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10302351, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:29:55.676, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051280_12950', total_run_time=12.16, event_count=0, result_count=0, available_count=0, scan_count=18831659, drop_count=0, exec_time=1655051329, api_et=1655036880.000000000, api_lt=1655051280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036880.000000000, search_lt=1655051280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18831659, total_slices=1554359, decompressed_slices=356700, duration.command.search.index=6680, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51813, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10299420, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:28:16.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051220_12935', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=18827392, drop_count=0, exec_time=1655051270, api_et=1655036820.000000000, api_lt=1655051220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036820.000000000, search_lt=1655051220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18827392, total_slices=1552737, decompressed_slices=356650, duration.command.search.index=6617, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53006, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:27:16.249, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051160_12916', total_run_time=11.64, event_count=0, result_count=0, available_count=0, scan_count=18822651, drop_count=0, exec_time=1655051209, api_et=1655036760.000000000, api_lt=1655051160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036760.000000000, search_lt=1655051160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18822651, total_slices=1551064, decompressed_slices=356627, duration.command.search.index=6729, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49319, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10293823, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:26:16.075, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051100_12900', total_run_time=12.46, event_count=0, result_count=0, available_count=0, scan_count=18815697, drop_count=0, exec_time=1655051149, api_et=1655036700.000000000, api_lt=1655051100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036700.000000000, search_lt=1655051100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3063", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18815697, total_slices=1549469, decompressed_slices=356533, duration.command.search.index=6628, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49754, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10291693, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:25:16.234, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655051040_12887', total_run_time=13.00, event_count=0, result_count=0, available_count=0, scan_count=18815840, drop_count=0, exec_time=1655051089, api_et=1655036640.000000000, api_lt=1655051040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036640.000000000, search_lt=1655051040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2222", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18815840, total_slices=1547734, decompressed_slices=356503, duration.command.search.index=7019, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49174, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10292383, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:24:16.234, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050980_12868', total_run_time=11.48, event_count=0, result_count=0, available_count=0, scan_count=18814038, drop_count=0, exec_time=1655051029, api_et=1655036580.000000000, api_lt=1655050980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036580.000000000, search_lt=1655050980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2555", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18814038, total_slices=1546116, decompressed_slices=356518, duration.command.search.index=6817, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49501, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10290661, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:23:16.204, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050920_12835', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=18808121, drop_count=0, exec_time=1655050969, api_et=1655036520.000000000, api_lt=1655050920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036520.000000000, search_lt=1655050920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18808121, total_slices=1544524, decompressed_slices=356484, duration.command.search.index=6886, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48910, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10288751, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:22:16.046, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050860_12819', total_run_time=13.33, event_count=0, result_count=0, available_count=0, scan_count=18804267, drop_count=0, exec_time=1655050909, api_et=1655036460.000000000, api_lt=1655050860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036460.000000000, search_lt=1655050860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2571", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18804267, total_slices=1542892, decompressed_slices=356461, duration.command.search.index=7434, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52416, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10287742, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:21:16.281, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050800_12789', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=18800387, drop_count=0, exec_time=1655050849, api_et=1655036400.000000000, api_lt=1655050800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036400.000000000, search_lt=1655050800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18800387, total_slices=1541214, decompressed_slices=356336, duration.command.search.index=6976, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50055, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284802, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:21:16.217, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655050800_12792', total_run_time=12.86, event_count=10284802, result_count=14, available_count=0, scan_count=18800387, drop_count=0, exec_time=1655050857, api_et=1655036400.000000000, api_lt=1655050800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036400.000000000, search_lt=1655050800.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2590", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18800387, total_slices=1541414, decompressed_slices=356338, duration.command.search.index=6820, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51450, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284802, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:20:15.478, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050740_12764', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=18800853, drop_count=0, exec_time=1655050789, api_et=1655036340.000000000, api_lt=1655050740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036340.000000000, search_lt=1655050740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18800853, total_slices=1539598, decompressed_slices=356302, duration.command.search.index=6882, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49397, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10282895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:19:44.324, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050680_12739', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=18793613, drop_count=0, exec_time=1655050730, api_et=1655036280.000000000, api_lt=1655050680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036280.000000000, search_lt=1655050680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3006", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18793613, total_slices=1538019, decompressed_slices=356291, duration.command.search.index=7361, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52898, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10279552, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:18:16.157, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050620_12718', total_run_time=13.43, event_count=0, result_count=0, available_count=0, scan_count=18788185, drop_count=0, exec_time=1655050669, api_et=1655036220.000000000, api_lt=1655050620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036220.000000000, search_lt=1655050620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18788185, total_slices=1536315, decompressed_slices=356211, duration.command.search.index=7204, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48328, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10276469, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:17:16.188, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050560_12694', total_run_time=13.03, event_count=0, result_count=0, available_count=0, scan_count=18782995, drop_count=0, exec_time=1655050609, api_et=1655036160.000000000, api_lt=1655050560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036160.000000000, search_lt=1655050560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18782995, total_slices=1534680, decompressed_slices=356143, duration.command.search.index=6834, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49652, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10272541, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:16:46.127, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655050560_12688', total_run_time=8.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655050570, api_et=1655046360.000000000, api_lt=1655049960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655046960.000000000, search_lt=1655050572.791121000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0a70b583da33c550", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=626, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:16:16.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050500_12677', total_run_time=12.63, event_count=0, result_count=0, available_count=0, scan_count=18780000, drop_count=0, exec_time=1655050549, api_et=1655036100.000000000, api_lt=1655050500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036100.000000000, search_lt=1655050500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18780000, total_slices=1532997, decompressed_slices=356012, duration.command.search.index=7137, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50775, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10269507, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:15:06.086, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050380_12635', total_run_time=11.47, event_count=0, result_count=0, available_count=0, scan_count=18771367, drop_count=0, exec_time=1655050430, api_et=1655035980.000000000, api_lt=1655050380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035980.000000000, search_lt=1655050380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18771367, total_slices=1529412, decompressed_slices=355876, duration.command.search.index=6712, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52022, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10260517, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:15:06.030, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655050440_12645', total_run_time=4.20, event_count=0, result_count=0, available_count=0, scan_count=9923, drop_count=0, exec_time=1655050463, api_et=1655046840.000000000, api_lt=1655050440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655046840.000000000, search_lt=1655050465.159706000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2864", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=290, considered_events=10163, total_slices=497321, decompressed_slices=1959, duration.command.search.index=869, invocations.command.search.index.bucketcache.hit=423, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5310, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=127, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=30, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=77, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 16:15:05.754, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050440_12658', total_run_time=11.51, event_count=0, result_count=0, available_count=0, scan_count=18776641, drop_count=0, exec_time=1655050489, api_et=1655036040.000000000, api_lt=1655050440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036040.000000000, search_lt=1655050440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18776641, total_slices=1530953, decompressed_slices=355891, duration.command.search.index=6924, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48304, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10265283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:13:03.367, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050320_12607', total_run_time=11.75, event_count=0, result_count=0, available_count=0, scan_count=18769440, drop_count=0, exec_time=1655050369, api_et=1655035920.000000000, api_lt=1655050320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035920.000000000, search_lt=1655050320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18769440, total_slices=1528056, decompressed_slices=355860, duration.command.search.index=6791, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52278, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10256655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:12:03.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050260_12589', total_run_time=11.60, event_count=0, result_count=0, available_count=0, scan_count=18766801, drop_count=0, exec_time=1655050309, api_et=1655035860.000000000, api_lt=1655050260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035860.000000000, search_lt=1655050260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18766801, total_slices=1526423, decompressed_slices=355751, duration.command.search.index=6951, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51559, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10253603, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:11:33.352, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655050260_12571', total_run_time=5.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655050265, api_et=1655046660.000000000, api_lt=1655050260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655046660.000000000, search_lt=1655050267.277464000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3122", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7ca589c53bc79641", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:11:03.358, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050200_12564', total_run_time=11.71, event_count=0, result_count=0, available_count=0, scan_count=18759758, drop_count=0, exec_time=1655050250, api_et=1655035800.000000000, api_lt=1655050200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035800.000000000, search_lt=1655050200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18759758, total_slices=1524836, decompressed_slices=355614, duration.command.search.index=6962, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51915, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10249973, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:10:03.205, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050140_12545', total_run_time=11.83, event_count=0, result_count=0, available_count=0, scan_count=18758484, drop_count=0, exec_time=1655050189, api_et=1655035740.000000000, api_lt=1655050140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035740.000000000, search_lt=1655050140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2561", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18758484, total_slices=1523129, decompressed_slices=355595, duration.command.search.index=7050, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48836, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10248554, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:09:37.900, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655050140_12537', total_run_time=22.08, event_count=0, result_count=0, available_count=0, scan_count=3654654, drop_count=0, exec_time=1655050145, api_et=1655045940.000000000, api_lt=1655049540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655045940.000000000, search_lt=1655049540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3037", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_75766a73a199070e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=769, eliminated_buckets=356, considered_events=3654654, total_slices=1014253, decompressed_slices=167090, duration.command.search.index=1579, invocations.command.search.index.bucketcache.hit=769, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28184, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:09:22.482, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050080_12529', total_run_time=12.28, event_count=0, result_count=0, available_count=0, scan_count=18754954, drop_count=0, exec_time=1655050129, api_et=1655035680.000000000, api_lt=1655050080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035680.000000000, search_lt=1655050080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2561", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18754954, total_slices=1521399, decompressed_slices=355603, duration.command.search.index=6906, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49879, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247008, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:09:22.268, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655050020_12515', total_run_time=22.00, event_count=1109, result_count=54, available_count=0, scan_count=293896, drop_count=0, exec_time=1655050080, api_et=1655046420.000000000, api_lt=1655050020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655046420.000000000, search_lt=1655050082.230785000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2986", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=206, considered_events=300778, total_slices=545988, decompressed_slices=79092, duration.command.search.index=2845, invocations.command.search.index.bucketcache.hit=423, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22063, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=240417, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25763, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 16:08:03.358, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655050020_12512', total_run_time=12.24, event_count=0, result_count=0, available_count=0, scan_count=18754484, drop_count=0, exec_time=1655050069, api_et=1655035620.000000000, api_lt=1655050020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035620.000000000, search_lt=1655050020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18754484, total_slices=1519789, decompressed_slices=355517, duration.command.search.index=7118, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48329, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247383, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:07:33.298, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049960_12491', total_run_time=15.13, event_count=0, result_count=0, available_count=0, scan_count=18754868, drop_count=0, exec_time=1655050010, api_et=1655035560.000000000, api_lt=1655049960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035560.000000000, search_lt=1655049960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18754868, total_slices=1518230, decompressed_slices=355508, duration.command.search.index=7579, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54393, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:07:33.191, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655050020_12507', total_run_time=6.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655050046, api_et=1655046420.000000000, api_lt=1655050020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655046420.000000000, search_lt=1655050048.256710000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_50648cb3a4eb7feb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=586, invocations.command.search.index.bucketcache.hit=423, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 16:06:03.312, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049900_12477', total_run_time=12.74, event_count=0, result_count=0, available_count=0, scan_count=18753188, drop_count=0, exec_time=1655049950, api_et=1655035500.000000000, api_lt=1655049900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035500.000000000, search_lt=1655049900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18753188, total_slices=1516619, decompressed_slices=355518, duration.command.search.index=6717, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51876, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247585, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:05:19.954, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049840_12459', total_run_time=15.60, event_count=0, result_count=0, available_count=0, scan_count=18752518, drop_count=0, exec_time=1655049889, api_et=1655035440.000000000, api_lt=1655049840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035440.000000000, search_lt=1655049840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18752518, total_slices=1514981, decompressed_slices=355517, duration.command.search.index=7564, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53750, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247782, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:05:19.231, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049720_12372', total_run_time=15.52, event_count=0, result_count=0, available_count=0, scan_count=18751243, drop_count=0, exec_time=1655049770, api_et=1655035320.000000000, api_lt=1655049720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035320.000000000, search_lt=1655049720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18751243, total_slices=1511768, decompressed_slices=355537, duration.command.search.index=7724, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61381, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10250291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:05:18.984, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049780_12418', total_run_time=15.52, event_count=0, result_count=0, available_count=0, scan_count=18749801, drop_count=0, exec_time=1655049829, api_et=1655035380.000000000, api_lt=1655049780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035380.000000000, search_lt=1655049780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18749801, total_slices=1513428, decompressed_slices=355511, duration.command.search.index=8545, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64650, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10247820, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:02:32.257, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049660_12341', total_run_time=13.59, event_count=0, result_count=0, available_count=0, scan_count=18748698, drop_count=0, exec_time=1655049709, api_et=1655035260.000000000, api_lt=1655049660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035260.000000000, search_lt=1655049660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18748698, total_slices=1510263, decompressed_slices=355498, duration.command.search.index=8188, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59350, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10252243, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 16:01:32.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655049600_12311', total_run_time=13.85, event_count=0, result_count=0, available_count=0, scan_count=18748335, drop_count=0, exec_time=1655049650, api_et=1655035200.000000000, api_lt=1655049600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035200.000000000, search_lt=1655049600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18748335, total_slices=1508549, decompressed_slices=355447, duration.command.search.index=7162, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55359, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10252974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 15:44:19.031, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655048580_12022', total_run_time=22.13, event_count=0, result_count=0, available_count=0, scan_count=3502, drop_count=0, exec_time=1655048618, api_et=1655044980.000000000, api_lt=1655048580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655044980.000000000, search_lt=1655048620.210246000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_38c79168c4642291", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=3502, total_slices=1019232, decompressed_slices=881, duration.command.search.index=1053, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5029, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:35:45.267, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655047980_11815', total_run_time=35.75, event_count=0, result_count=0, available_count=0, scan_count=39515967, drop_count=0, exec_time=1655048005, api_et=1655044380.000000000, api_lt=1655047980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655044380.000000000, search_lt=1655048007.125268000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3828", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a01e829fec1bd1c2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1856, eliminated_buckets=134, considered_events=39515967, total_slices=13983242, decompressed_slices=3889438, duration.command.search.index=13806, invocations.command.search.index.bucketcache.hit=1855, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216321, invocations.command.search.rawdata.bucketcache.hit=264, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:16:46.213, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655046960_11471', total_run_time=8.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655046970, api_et=1655042760.000000000, api_lt=1655046360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655043360.000000000, search_lt=1655046972.245482000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3257", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0d79841055c6e145", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=626, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:14:46.081, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655046840_11431', total_run_time=4.24, event_count=0, result_count=0, available_count=0, scan_count=13015, drop_count=0, exec_time=1655046863, api_et=1655043240.000000000, api_lt=1655046840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655043240.000000000, search_lt=1655046865.061687000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=286, considered_events=13150, total_slices=587383, decompressed_slices=2289, duration.command.search.index=877, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5464, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=27, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=46, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=92, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=140, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 15:11:16.865, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655046660_11364', total_run_time=4.94, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655046664, api_et=1655043060.000000000, api_lt=1655046660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655043060.000000000, search_lt=1655046666.368668000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1f6566b53cccf235", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=43, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=48, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:09:46.316, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655046540_11330', total_run_time=19.32, event_count=0, result_count=0, available_count=0, scan_count=3688008, drop_count=0, exec_time=1655046546, api_et=1655042340.000000000, api_lt=1655045940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655042340.000000000, search_lt=1655045940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f51015a95c8397f3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=780, eliminated_buckets=368, considered_events=3688008, total_slices=1005076, decompressed_slices=167039, duration.command.search.index=1525, invocations.command.search.index.bucketcache.hit=780, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27319, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:08:17.031, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655046420_11311', total_run_time=14.16, event_count=1120, result_count=55, available_count=0, scan_count=299301, drop_count=0, exec_time=1655046480, api_et=1655042820.000000000, api_lt=1655046420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655042820.000000000, search_lt=1655046482.153460000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=206, considered_events=302648, total_slices=524850, decompressed_slices=72624, duration.command.search.index=2635, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20935, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=244064, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26747, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 15:07:46.557, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655046420_11306', total_run_time=4.97, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1655046446, api_et=1655042820.000000000, api_lt=1655046420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655042820.000000000, search_lt=1655046448.677258000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b239c3691cf015e8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=206, considered_events=2, total_slices=18691, decompressed_slices=2, duration.command.search.index=589, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=277, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 15:01:18.411, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD58fc6ce7dc2a03380_at_1655046000_11131', total_run_time=8.13, event_count=174193, result_count=103, available_count=0, scan_count=410255, drop_count=0, exec_time=1655046049, api_et=1654441200.000000000, api_lt=1655046000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654387200.000000000, search_lt=1655046050.787854000, is_realtime=0, savedsearch_name="Slack User ID Mapping - u00002", search_startup_time="2511", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_9fff2b6269330203", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=72, eliminated_buckets=0, considered_events=410255, total_slices=27730, decompressed_slices=11477, duration.command.search.index=283, invocations.command.search.index.bucketcache.hit=72, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6159, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__slack:audit=174193, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=obs-collab sourcetype=slack:audit context.location.name=Tshirt actor.user.name!=Slackbot earliest=-7d@d | stats values(actor.user.name) as username, values(actor.user.email) as email, values(actor.user.team) as team, earliest(_time) as earliest_event, latest(_time) as latest_event, values(context.ip_address) as ip_address, values(context.ua) as ua by actor.user.id | lookup dmo_slack_mapping.csv actor.user.id OUTPUT actor.user.id AS exists | where isnull(exists) | fields - exists | table actor.user.id, username, earliest_event, latest_event, email, ip_address, team, ua | outputlookup append=t dmo_slack_mapping.csv'] Audit:[timestamp=06-12-2022 14:44:01.683, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655044980_10829', total_run_time=20.95, event_count=0, result_count=0, available_count=0, scan_count=3249, drop_count=0, exec_time=1655045018, api_et=1655041380.000000000, api_lt=1655044980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655041380.000000000, search_lt=1655045020.553617000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2857", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_024964383c27f03b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3249, total_slices=969480, decompressed_slices=854, duration.command.search.index=1056, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4619, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 14:36:45.077, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655044380_10619', total_run_time=35.10, event_count=0, result_count=0, available_count=0, scan_count=39767103, drop_count=0, exec_time=1655044405, api_et=1655040780.000000000, api_lt=1655044380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655040780.000000000, search_lt=1655044407.429350000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bda3d847426cfc28", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1871, eliminated_buckets=134, considered_events=39767103, total_slices=14136683, decompressed_slices=3915417, duration.command.search.index=16964, invocations.command.search.index.bucketcache.hit=1870, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=217249, invocations.command.search.rawdata.bucketcache.hit=277, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 14:16:24.875, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655043360_10269', total_run_time=8.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655043370, api_et=1655039160.000000000, api_lt=1655042760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655039760.000000000, search_lt=1655043372.253069000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3242", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_341c62e2260be249", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1018, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=634, invocations.command.search.index.bucketcache.hit=1018, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 14:14:54.972, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655043240_10229', total_run_time=4.30, event_count=0, result_count=0, available_count=0, scan_count=14429, drop_count=0, exec_time=1655043263, api_et=1655039640.000000000, api_lt=1655043240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655039640.000000000, search_lt=1655043265.331338000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=423, eliminated_buckets=287, considered_events=14509, total_slices=613230, decompressed_slices=2197, duration.command.search.index=988, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5458, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=37, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=215, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=22, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=69, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 14:11:24.848, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655043060_10162', total_run_time=5.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655043064, api_et=1655039460.000000000, api_lt=1655043060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655039460.000000000, search_lt=1655043067.370902000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3379", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4705583e574cdef7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 14:09:53.845, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655042820_10111', total_run_time=23.96, event_count=2046, result_count=107, available_count=0, scan_count=344218, drop_count=0, exec_time=1655042880, api_et=1655039220.000000000, api_lt=1655042820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655039220.000000000, search_lt=1655042882.445871000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=206, considered_events=349761, total_slices=504747, decompressed_slices=78197, duration.command.search.index=2897, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23750, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=283196, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 14:09:53.119, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655042940_10131', total_run_time=18.92, event_count=0, result_count=0, available_count=0, scan_count=3740769, drop_count=0, exec_time=1655042945, api_et=1655038740.000000000, api_lt=1655042340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655038740.000000000, search_lt=1655042340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3065", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dace132a422270cd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=367, considered_events=3740769, total_slices=967196, decompressed_slices=169660, duration.command.search.index=1568, invocations.command.search.index.bucketcache.hit=782, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28994, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 14:07:42.847, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655042820_10106', total_run_time=5.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655042846, api_et=1655039220.000000000, api_lt=1655042820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655039220.000000000, search_lt=1655042848.744881000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2986", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fac0a37c46cb4fa8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=594, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:44:21.073, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655041380_9640', total_run_time=21.26, event_count=0, result_count=0, available_count=0, scan_count=3570, drop_count=0, exec_time=1655041418, api_et=1655037780.000000000, api_lt=1655041380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037780.000000000, search_lt=1655041420.307798000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ccf6acb770a44941", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3570, total_slices=1138046, decompressed_slices=878, duration.command.search.index=1078, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5025, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:36:14.505, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655040780_9434', total_run_time=34.71, event_count=0, result_count=0, available_count=0, scan_count=39810743, drop_count=0, exec_time=1655040805, api_et=1655037180.000000000, api_lt=1655040780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655037180.000000000, search_lt=1655040806.971877000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3605", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b6b3251f72c7053", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1851, eliminated_buckets=134, considered_events=39810743, total_slices=13979950, decompressed_slices=3923544, duration.command.search.index=13823, invocations.command.search.index.bucketcache.hit=1850, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216159, invocations.command.search.rawdata.bucketcache.hit=266, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:16:47.675, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655039760_9093', total_run_time=7.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655039771, api_et=1655035560.000000000, api_lt=1655039160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036160.000000000, search_lt=1655039773.161747000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3401", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ca594a3021106d08", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1019, eliminated_buckets=343, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=657, invocations.command.search.index.bucketcache.hit=1019, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:14:47.738, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655039640_9053', total_run_time=4.64, event_count=0, result_count=0, available_count=0, scan_count=7262, drop_count=0, exec_time=1655039663, api_et=1655036040.000000000, api_lt=1655039640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655036040.000000000, search_lt=1655039665.341406000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3037", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=286, considered_events=7262, total_slices=623114, decompressed_slices=1550, duration.command.search.index=953, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5257, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=25, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=378, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=14, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=108, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 13:11:17.643, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655039460_8988', total_run_time=4.93, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655039464, api_et=1655035860.000000000, api_lt=1655039460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035860.000000000, search_lt=1655039465.957601000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb30a9b325d01b9a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:09:47.632, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655039340_8957', total_run_time=18.14, event_count=0, result_count=0, available_count=0, scan_count=3733785, drop_count=0, exec_time=1655039345, api_et=1655035140.000000000, api_lt=1655038740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035140.000000000, search_lt=1655038740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3054", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c36599913389ffdf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=355, considered_events=3733785, total_slices=1042179, decompressed_slices=170191, duration.command.search.index=1602, invocations.command.search.index.bucketcache.hit=773, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28959, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=86, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:08:47.957, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655039220_8944', total_run_time=19.99, event_count=1886, result_count=108, available_count=0, scan_count=347342, drop_count=0, exec_time=1655039284, api_et=1655035620.000000000, api_lt=1655039220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035620.000000000, search_lt=1655039286.510768000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=207, considered_events=355949, total_slices=443804, decompressed_slices=80583, duration.command.search.index=2898, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23127, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=285854, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33554, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 13:07:47.793, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655039220_8933', total_run_time=4.38, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655039246, api_et=1655035620.000000000, api_lt=1655039220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655035620.000000000, search_lt=1655039247.928168000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bfcac06536d80f70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=207, considered_events=1, total_slices=1753, decompressed_slices=1, duration.command.search.index=591, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=125, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 13:00:18.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038740_8745', total_run_time=17.88, event_count=0, result_count=0, available_count=0, scan_count=18901937, drop_count=0, exec_time=1655038790, api_et=1655024340.000000000, api_lt=1655038740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024340.000000000, search_lt=1655038740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5537", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18901937, total_slices=1246620, decompressed_slices=358555, duration.command.search.index=6756, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63292, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10504189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:59:17.807, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038680_8732', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=18904454, drop_count=0, exec_time=1655038729, api_et=1655024280.000000000, api_lt=1655038680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024280.000000000, search_lt=1655038680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2577", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18904454, total_slices=1244951, decompressed_slices=358578, duration.command.search.index=6935, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51186, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10506323, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:58:17.551, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038620_8717', total_run_time=11.68, event_count=0, result_count=0, available_count=0, scan_count=18904603, drop_count=0, exec_time=1655038669, api_et=1655024220.000000000, api_lt=1655038620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024220.000000000, search_lt=1655038620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2704", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18904603, total_slices=1243327, decompressed_slices=358577, duration.command.search.index=6915, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50906, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10506126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:57:17.702, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038560_8699', total_run_time=11.42, event_count=0, result_count=0, available_count=0, scan_count=18901611, drop_count=0, exec_time=1655038609, api_et=1655024160.000000000, api_lt=1655038560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024160.000000000, search_lt=1655038560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18901611, total_slices=1241746, decompressed_slices=358548, duration.command.search.index=6978, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51183, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10505996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:56:17.620, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038500_8688', total_run_time=11.41, event_count=0, result_count=0, available_count=0, scan_count=18897915, drop_count=0, exec_time=1655038549, api_et=1655024100.000000000, api_lt=1655038500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024100.000000000, search_lt=1655038500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2605", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18897915, total_slices=1240120, decompressed_slices=358526, duration.command.search.index=6713, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50848, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10504486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:55:17.894, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038440_8671', total_run_time=13.21, event_count=0, result_count=0, available_count=0, scan_count=18896706, drop_count=0, exec_time=1655038490, api_et=1655024040.000000000, api_lt=1655038440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024040.000000000, search_lt=1655038440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18896706, total_slices=1238536, decompressed_slices=358603, duration.command.search.index=6818, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49939, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10504822, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:54:31.082, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038380_8654', total_run_time=12.86, event_count=0, result_count=0, available_count=0, scan_count=18894541, drop_count=0, exec_time=1655038429, api_et=1655023980.000000000, api_lt=1655038380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023980.000000000, search_lt=1655038380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3178", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18894541, total_slices=1236899, decompressed_slices=358506, duration.command.search.index=7177, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48437, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10505093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:53:17.876, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038320_8630', total_run_time=22.69, event_count=0, result_count=0, available_count=0, scan_count=18896112, drop_count=0, exec_time=1655038370, api_et=1655023920.000000000, api_lt=1655038320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023920.000000000, search_lt=1655038320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2609", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18896112, total_slices=1235295, decompressed_slices=358479, duration.command.search.index=10001, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107540, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10505601, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:52:18.503, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038260_8613', total_run_time=12.38, event_count=0, result_count=0, available_count=0, scan_count=18893717, drop_count=0, exec_time=1655038309, api_et=1655023860.000000000, api_lt=1655038260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023860.000000000, search_lt=1655038260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18893717, total_slices=1233619, decompressed_slices=358468, duration.command.search.index=7029, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50224, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10507306, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:51:09.518, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038140_8566', total_run_time=11.99, event_count=0, result_count=0, available_count=0, scan_count=18888515, drop_count=0, exec_time=1655038189, api_et=1655023740.000000000, api_lt=1655038140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023740.000000000, search_lt=1655038140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18888515, total_slices=1230357, decompressed_slices=358522, duration.command.search.index=7343, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49624, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10507887, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:51:07.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038200_8588', total_run_time=12.30, event_count=0, result_count=0, available_count=0, scan_count=18889568, drop_count=0, exec_time=1655038249, api_et=1655023800.000000000, api_lt=1655038200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023800.000000000, search_lt=1655038200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18889568, total_slices=1232021, decompressed_slices=358494, duration.command.search.index=7225, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49999, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10507783, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:51:07.560, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038080_8544', total_run_time=11.88, event_count=0, result_count=0, available_count=0, scan_count=18887053, drop_count=0, exec_time=1655038129, api_et=1655023680.000000000, api_lt=1655038080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023680.000000000, search_lt=1655038080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18887053, total_slices=1228798, decompressed_slices=358467, duration.command.search.index=7099, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51947, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10508112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:48:02.297, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655038020_8528', total_run_time=11.29, event_count=0, result_count=0, available_count=0, scan_count=18886412, drop_count=0, exec_time=1655038069, api_et=1655023620.000000000, api_lt=1655038020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023620.000000000, search_lt=1655038020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18886412, total_slices=1227154, decompressed_slices=358419, duration.command.search.index=6933, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52489, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10508380, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:47:02.243, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037960_8507', total_run_time=11.28, event_count=0, result_count=0, available_count=0, scan_count=18881531, drop_count=0, exec_time=1655038009, api_et=1655023560.000000000, api_lt=1655037960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023560.000000000, search_lt=1655037960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18881531, total_slices=1225566, decompressed_slices=358371, duration.command.search.index=6827, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50470, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10507643, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:46:02.331, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037900_8489', total_run_time=12.12, event_count=0, result_count=0, available_count=0, scan_count=18879694, drop_count=0, exec_time=1655037949, api_et=1655023500.000000000, api_lt=1655037900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023500.000000000, search_lt=1655037900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18879694, total_slices=1223979, decompressed_slices=358393, duration.command.search.index=6706, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53289, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10508150, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:45:32.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037840_8466', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=18876783, drop_count=0, exec_time=1655037890, api_et=1655023440.000000000, api_lt=1655037840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023440.000000000, search_lt=1655037840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3119", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18876783, total_slices=1222431, decompressed_slices=358387, duration.command.search.index=6865, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53158, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10507920, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:44:22.796, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655037780_8442', total_run_time=21.27, event_count=0, result_count=0, available_count=0, scan_count=3190, drop_count=0, exec_time=1655037818, api_et=1655034180.000000000, api_lt=1655037780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655034180.000000000, search_lt=1655037820.068329000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_13f0e93b6e107ec5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=3190, total_slices=993933, decompressed_slices=799, duration.command.search.index=1134, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4843, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:44:22.382, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037780_8445', total_run_time=12.09, event_count=0, result_count=0, available_count=0, scan_count=18876082, drop_count=0, exec_time=1655037829, api_et=1655023380.000000000, api_lt=1655037780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023380.000000000, search_lt=1655037780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3105", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18876082, total_slices=1220793, decompressed_slices=358361, duration.command.search.index=6845, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51722, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10509109, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:43:02.306, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037720_8417', total_run_time=12.12, event_count=0, result_count=0, available_count=0, scan_count=18874110, drop_count=0, exec_time=1655037769, api_et=1655023320.000000000, api_lt=1655037720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023320.000000000, search_lt=1655037720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18874110, total_slices=1219171, decompressed_slices=358238, duration.command.search.index=7067, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49535, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10508415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:42:02.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037660_8394', total_run_time=12.30, event_count=0, result_count=0, available_count=0, scan_count=18871943, drop_count=0, exec_time=1655037709, api_et=1655023260.000000000, api_lt=1655037660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023260.000000000, search_lt=1655037660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2498", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18871943, total_slices=1217625, decompressed_slices=358158, duration.command.search.index=7030, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53461, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10508726, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:41:32.630, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037600_8368', total_run_time=11.83, event_count=0, result_count=0, available_count=0, scan_count=18872162, drop_count=0, exec_time=1655037648, api_et=1655023200.000000000, api_lt=1655037600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023200.000000000, search_lt=1655037600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18872162, total_slices=1216078, decompressed_slices=358161, duration.command.search.index=6763, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52257, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10510062, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:41:32.309, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037480_8331', total_run_time=11.54, event_count=0, result_count=0, available_count=0, scan_count=18876095, drop_count=0, exec_time=1655037529, api_et=1655023080.000000000, api_lt=1655037480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023080.000000000, search_lt=1655037480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18876095, total_slices=1212845, decompressed_slices=358248, duration.command.search.index=7100, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51625, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10516292, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:41:32.235, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037540_8347', total_run_time=11.91, event_count=0, result_count=0, available_count=0, scan_count=18873794, drop_count=0, exec_time=1655037589, api_et=1655023140.000000000, api_lt=1655037540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023140.000000000, search_lt=1655037540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18873794, total_slices=1214415, decompressed_slices=358270, duration.command.search.index=6941, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51055, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10512116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:38:07.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037420_8316', total_run_time=11.86, event_count=0, result_count=0, available_count=0, scan_count=18878447, drop_count=0, exec_time=1655037469, api_et=1655023020.000000000, api_lt=1655037420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023020.000000000, search_lt=1655037420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18878447, total_slices=1211238, decompressed_slices=358196, duration.command.search.index=6919, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52070, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10518434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:37:06.921, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037360_8301', total_run_time=11.97, event_count=0, result_count=0, available_count=0, scan_count=18877409, drop_count=0, exec_time=1655037410, api_et=1655022960.000000000, api_lt=1655037360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022960.000000000, search_lt=1655037360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18877409, total_slices=1209674, decompressed_slices=358139, duration.command.search.index=6727, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53542, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10518955, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:36:25.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037300_8291', total_run_time=11.20, event_count=0, result_count=0, available_count=0, scan_count=18879809, drop_count=0, exec_time=1655037350, api_et=1655022900.000000000, api_lt=1655037300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022900.000000000, search_lt=1655037300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=18879809, total_slices=1208035, decompressed_slices=358206, duration.command.search.index=6930, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47437, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10521865, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:36:00.985, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037240_8270', total_run_time=12.72, event_count=0, result_count=0, available_count=0, scan_count=18884096, drop_count=0, exec_time=1655037290, api_et=1655022840.000000000, api_lt=1655037240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022840.000000000, search_lt=1655037240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=18884096, total_slices=1233517, decompressed_slices=358300, duration.command.search.index=7123, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48573, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10526041, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:36:00.684, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037180_8234', total_run_time=14.53, event_count=0, result_count=0, available_count=0, scan_count=18886363, drop_count=0, exec_time=1655037229, api_et=1655022780.000000000, api_lt=1655037180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022780.000000000, search_lt=1655037180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2690", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=18886363, total_slices=1231948, decompressed_slices=358222, duration.command.search.index=8251, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56608, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10528869, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:36:00.032, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655037180_8220', total_run_time=35.31, event_count=0, result_count=0, available_count=0, scan_count=40057210, drop_count=0, exec_time=1655037205, api_et=1655033580.000000000, api_lt=1655037180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655033580.000000000, search_lt=1655037207.329172000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b4ebb44941db4c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1859, eliminated_buckets=134, considered_events=40057210, total_slices=13912746, decompressed_slices=3937020, duration.command.search.index=13992, invocations.command.search.index.bucketcache.hit=1855, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=217918, invocations.command.search.rawdata.bucketcache.hit=268, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:33:07.617, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037120_8197', total_run_time=13.34, event_count=0, result_count=0, available_count=0, scan_count=18888195, drop_count=0, exec_time=1655037169, api_et=1655022720.000000000, api_lt=1655037120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022720.000000000, search_lt=1655037120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18888195, total_slices=1230277, decompressed_slices=358176, duration.command.search.index=7573, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52467, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10530791, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:32:07.758, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037060_8167', total_run_time=14.70, event_count=0, result_count=0, available_count=0, scan_count=18887296, drop_count=0, exec_time=1655037109, api_et=1655022660.000000000, api_lt=1655037060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022660.000000000, search_lt=1655037060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2988", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18887296, total_slices=1256143, decompressed_slices=358112, duration.command.search.index=7766, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54923, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10531201, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:31:07.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655037000_8139', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=18885677, drop_count=0, exec_time=1655037049, api_et=1655022600.000000000, api_lt=1655037000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022600.000000000, search_lt=1655037000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18885677, total_slices=1254625, decompressed_slices=358123, duration.command.search.index=7394, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54691, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10531865, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:30:07.556, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036880_8097', total_run_time=11.17, event_count=0, result_count=0, available_count=0, scan_count=18880186, drop_count=0, exec_time=1655036929, api_et=1655022480.000000000, api_lt=1655036880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022480.000000000, search_lt=1655036880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2514", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18880186, total_slices=1251289, decompressed_slices=358099, duration.command.search.index=6906, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51546, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10534836, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:30:07.307, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036940_8110', total_run_time=12.41, event_count=0, result_count=0, available_count=0, scan_count=18881679, drop_count=0, exec_time=1655036990, api_et=1655022540.000000000, api_lt=1655036940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022540.000000000, search_lt=1655036940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18881679, total_slices=1252699, decompressed_slices=358098, duration.command.search.index=6676, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52619, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:28:11.899, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036820_8083', total_run_time=11.56, event_count=0, result_count=0, available_count=0, scan_count=18879193, drop_count=0, exec_time=1655036869, api_et=1655022420.000000000, api_lt=1655036820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022420.000000000, search_lt=1655036820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2546", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18879193, total_slices=1249627, decompressed_slices=358039, duration.command.search.index=7026, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51815, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10534616, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:27:11.766, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036760_8064', total_run_time=10.97, event_count=0, result_count=0, available_count=0, scan_count=18877074, drop_count=0, exec_time=1655036809, api_et=1655022360.000000000, api_lt=1655036760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022360.000000000, search_lt=1655036760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2506", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18877074, total_slices=1248021, decompressed_slices=357936, duration.command.search.index=6864, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50448, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:26:11.711, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036700_8048', total_run_time=12.06, event_count=0, result_count=0, available_count=0, scan_count=18875167, drop_count=0, exec_time=1655036749, api_et=1655022300.000000000, api_lt=1655036700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022300.000000000, search_lt=1655036700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18875167, total_slices=1246393, decompressed_slices=357908, duration.command.search.index=6439, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52115, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533617, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:25:11.989, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036640_8034', total_run_time=11.93, event_count=0, result_count=0, available_count=0, scan_count=18871796, drop_count=0, exec_time=1655036690, api_et=1655022240.000000000, api_lt=1655036640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022240.000000000, search_lt=1655036640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18871796, total_slices=1244781, decompressed_slices=357942, duration.command.search.index=6978, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49061, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10532877, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:24:11.825, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036580_8015', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=18869114, drop_count=0, exec_time=1655036629, api_et=1655022180.000000000, api_lt=1655036580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022180.000000000, search_lt=1655036580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18869114, total_slices=1243112, decompressed_slices=357798, duration.command.search.index=6921, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49266, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:23:11.710, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036520_7983', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=18869294, drop_count=0, exec_time=1655036569, api_et=1655022120.000000000, api_lt=1655036520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022120.000000000, search_lt=1655036520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18869294, total_slices=1241346, decompressed_slices=357807, duration.command.search.index=7381, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49657, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533713, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:22:11.946, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036460_7967', total_run_time=11.66, event_count=0, result_count=0, available_count=0, scan_count=18867508, drop_count=0, exec_time=1655036509, api_et=1655022060.000000000, api_lt=1655036460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022060.000000000, search_lt=1655036460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18867508, total_slices=1239813, decompressed_slices=357825, duration.command.search.index=7297, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51593, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10533043, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:21:11.762, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036400_7939', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18869099, drop_count=0, exec_time=1655036449, api_et=1655022000.000000000, api_lt=1655036400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022000.000000000, search_lt=1655036400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18869099, total_slices=1238285, decompressed_slices=357871, duration.command.search.index=7710, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52387, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10535840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:20:12.563, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036340_7915', total_run_time=13.07, event_count=0, result_count=0, available_count=0, scan_count=18868333, drop_count=0, exec_time=1655036389, api_et=1655021940.000000000, api_lt=1655036340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021940.000000000, search_lt=1655036340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18868333, total_slices=1236707, decompressed_slices=357940, duration.command.search.index=7450, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49987, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10537841, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:19:11.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036280_7890', total_run_time=13.76, event_count=0, result_count=0, available_count=0, scan_count=18868585, drop_count=0, exec_time=1655036329, api_et=1655021880.000000000, api_lt=1655036280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021880.000000000, search_lt=1655036280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18868585, total_slices=1235214, decompressed_slices=357911, duration.command.search.index=7888, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56694, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10538658, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:18:11.778, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036220_7869', total_run_time=13.58, event_count=0, result_count=0, available_count=0, scan_count=18869629, drop_count=0, exec_time=1655036270, api_et=1655021820.000000000, api_lt=1655036220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021820.000000000, search_lt=1655036220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18869629, total_slices=1233607, decompressed_slices=357964, duration.command.search.index=7153, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50480, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10539179, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:17:11.895, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036160_7846', total_run_time=19.90, event_count=0, result_count=0, available_count=0, scan_count=18867660, drop_count=0, exec_time=1655036209, api_et=1655021760.000000000, api_lt=1655036160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021760.000000000, search_lt=1655036160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18867660, total_slices=1232052, decompressed_slices=357953, duration.command.search.index=7558, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54559, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10539085, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:16:41.627, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655036160_7840', total_run_time=8.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655036171, api_et=1655031960.000000000, api_lt=1655035560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655032560.000000000, search_lt=1655036173.573492000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c9d21347c208469d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1020, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=651, invocations.command.search.index.bucketcache.hit=1020, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:16:12.036, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036100_7829', total_run_time=19.40, event_count=0, result_count=0, available_count=0, scan_count=18865783, drop_count=0, exec_time=1655036149, api_et=1655021700.000000000, api_lt=1655036100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021700.000000000, search_lt=1655036100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2569", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18865783, total_slices=1230467, decompressed_slices=358004, duration.command.search.index=7523, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56291, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10538765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:15:11.643, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655036040_7810', total_run_time=16.52, event_count=0, result_count=0, available_count=0, scan_count=18866582, drop_count=0, exec_time=1655036089, api_et=1655021640.000000000, api_lt=1655036040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021640.000000000, search_lt=1655036040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18866582, total_slices=1228892, decompressed_slices=358139, duration.command.search.index=7331, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55771, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10541980, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:14:40.972, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035980_7787', total_run_time=15.81, event_count=0, result_count=0, available_count=0, scan_count=18866107, drop_count=0, exec_time=1655036029, api_et=1655021580.000000000, api_lt=1655035980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021580.000000000, search_lt=1655035980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18866107, total_slices=1227332, decompressed_slices=358214, duration.command.search.index=7675, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61098, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10544199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:14:40.847, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655036040_7797', total_run_time=7.47, event_count=0, result_count=0, available_count=0, scan_count=12692, drop_count=0, exec_time=1655036063, api_et=1655032440.000000000, api_lt=1655036040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655032440.000000000, search_lt=1655036065.397051000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=290, considered_events=12692, total_slices=709406, decompressed_slices=2155, duration.command.search.index=1007, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5683, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=73, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=100, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=22, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=224, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 12:13:12.007, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035920_7759', total_run_time=12.39, event_count=0, result_count=0, available_count=0, scan_count=18864106, drop_count=0, exec_time=1655035969, api_et=1655021520.000000000, api_lt=1655035920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021520.000000000, search_lt=1655035920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18864106, total_slices=1225755, decompressed_slices=358155, duration.command.search.index=6841, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50404, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10544828, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:12:11.864, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035860_7741', total_run_time=11.72, event_count=0, result_count=0, available_count=0, scan_count=18862825, drop_count=0, exec_time=1655035909, api_et=1655021460.000000000, api_lt=1655035860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021460.000000000, search_lt=1655035860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3001", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18862825, total_slices=1224238, decompressed_slices=358129, duration.command.search.index=7209, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50795, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10545225, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:11:12.009, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035800_7716', total_run_time=12.90, event_count=0, result_count=0, available_count=0, scan_count=18863308, drop_count=0, exec_time=1655035849, api_et=1655021400.000000000, api_lt=1655035800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021400.000000000, search_lt=1655035800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18863308, total_slices=1222277, decompressed_slices=358114, duration.command.search.index=7161, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52172, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10546553, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:11:11.907, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655035860_7723', total_run_time=5.28, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655035864, api_et=1655032260.000000000, api_lt=1655035860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655032260.000000000, search_lt=1655035866.317233000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3013", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c8b786bd1ae73e83", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=43, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:10:11.855, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035740_7694', total_run_time=12.34, event_count=0, result_count=0, available_count=0, scan_count=18860979, drop_count=0, exec_time=1655035789, api_et=1655021340.000000000, api_lt=1655035740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021340.000000000, search_lt=1655035740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18860979, total_slices=1220952, decompressed_slices=358089, duration.command.search.index=7040, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50265, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10547469, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:09:31.777, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655035740_7686', total_run_time=17.01, event_count=0, result_count=0, available_count=0, scan_count=3783697, drop_count=0, exec_time=1655035745, api_et=1655031540.000000000, api_lt=1655035140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655031540.000000000, search_lt=1655035140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3050", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_029928b1a1f8f833", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=774, eliminated_buckets=357, considered_events=3783697, total_slices=1011236, decompressed_slices=170137, duration.command.search.index=1565, invocations.command.search.index.bucketcache.hit=774, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27461, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:09:16.429, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655035620_7669', total_run_time=23.05, event_count=1168, result_count=54, available_count=0, scan_count=299774, drop_count=0, exec_time=1655035684, api_et=1655032020.000000000, api_lt=1655035620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655032020.000000000, search_lt=1655035686.093428000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2944", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=428, eliminated_buckets=210, considered_events=307045, total_slices=454789, decompressed_slices=77370, duration.command.search.index=2607, invocations.command.search.index.bucketcache.hit=428, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21714, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=243438, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 12:09:16.366, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035680_7678', total_run_time=11.17, event_count=0, result_count=0, available_count=0, scan_count=18861309, drop_count=0, exec_time=1655035729, api_et=1655021280.000000000, api_lt=1655035680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021280.000000000, search_lt=1655035680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18861309, total_slices=1219350, decompressed_slices=358033, duration.command.search.index=6869, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50664, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10549111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:08:11.929, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035620_7661', total_run_time=11.55, event_count=0, result_count=0, available_count=0, scan_count=18860607, drop_count=0, exec_time=1655035669, api_et=1655021220.000000000, api_lt=1655035620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021220.000000000, search_lt=1655035620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18860607, total_slices=1217958, decompressed_slices=357942, duration.command.search.index=7213, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50270, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10549579, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:07:42.048, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655035620_7656', total_run_time=5.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655035646, api_et=1655032020.000000000, api_lt=1655035620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655032020.000000000, search_lt=1655035648.372222000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b828b734bfa619bf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=428, eliminated_buckets=209, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=625, invocations.command.search.index.bucketcache.hit=427, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 12:07:12.102, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1655035200_7610', total_run_time=121.74, event_count=2696, result_count=2695, available_count=0, scan_count=1757393, drop_count=0, exec_time=1655035490, api_et=1654948800.000000000, api_lt=1655035200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1655035200.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64394", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_b7c05d7ad2d5e0a5", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30401, eliminated_buckets=4806, considered_events=1757393, total_slices=14038480, decompressed_slices=1089803, duration.command.search.index=964541, invocations.command.search.index.bucketcache.hit=26710, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3749, duration.command.search.index.bucketcache.miss=438375, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=208384, invocations.command.search.rawdata.bucketcache.hit=19677, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1792, duration.command.search.rawdata.bucketcache.miss=289461, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-12-2022 12:07:11.960, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035560_7641', total_run_time=12.33, event_count=0, result_count=0, available_count=0, scan_count=18859162, drop_count=0, exec_time=1655035609, api_et=1655021160.000000000, api_lt=1655035560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021160.000000000, search_lt=1655035560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18859162, total_slices=1216505, decompressed_slices=357951, duration.command.search.index=7109, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51785, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10549833, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:06:11.808, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035500_7627', total_run_time=13.18, event_count=0, result_count=0, available_count=0, scan_count=18860746, drop_count=0, exec_time=1655035550, api_et=1655021100.000000000, api_lt=1655035500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021100.000000000, search_lt=1655035500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3369", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18860746, total_slices=1214908, decompressed_slices=358049, duration.command.search.index=7019, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53092, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10551283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:05:11.623, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035440_7609', total_run_time=14.44, event_count=0, result_count=0, available_count=0, scan_count=18861034, drop_count=0, exec_time=1655035490, api_et=1655021040.000000000, api_lt=1655035440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021040.000000000, search_lt=1655035440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18861034, total_slices=1213352, decompressed_slices=358136, duration.command.search.index=7495, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54550, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10552506, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:04:41.040, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035380_7566', total_run_time=15.46, event_count=0, result_count=0, available_count=0, scan_count=18862855, drop_count=0, exec_time=1655035429, api_et=1655020980.000000000, api_lt=1655035380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655020980.000000000, search_lt=1655035380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18862855, total_slices=1211808, decompressed_slices=358155, duration.command.search.index=9277, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65466, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10554054, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:03:11.419, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035320_7520', total_run_time=16.02, event_count=0, result_count=0, available_count=0, scan_count=18862779, drop_count=0, exec_time=1655035369, api_et=1655020920.000000000, api_lt=1655035320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655020920.000000000, search_lt=1655035320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18862779, total_slices=1210150, decompressed_slices=358190, duration.command.search.index=7993, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63990, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10554232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:02:11.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035260_7489', total_run_time=18.40, event_count=0, result_count=0, available_count=0, scan_count=18864972, drop_count=0, exec_time=1655035309, api_et=1655020860.000000000, api_lt=1655035260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655020860.000000000, search_lt=1655035260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2567", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18864972, total_slices=1208723, decompressed_slices=358226, duration.command.search.index=9181, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73015, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10554192, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 12:01:41.389, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1655035200_7453', total_run_time=62.90, event_count=0, result_count=103, available_count=0, scan_count=0, drop_count=0, exec_time=1655035232, api_et=1655033400.000000000, api_lt=1655035200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655033400.000000000, search_lt=1655035200.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63588", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-12-2022 12:01:11.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655035200_7457', total_run_time=15.02, event_count=0, result_count=0, available_count=0, scan_count=18866773, drop_count=0, exec_time=1655035249, api_et=1655020800.000000000, api_lt=1655035200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655020800.000000000, search_lt=1655035200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=18866773, total_slices=1206915, decompressed_slices=358270, duration.command.search.index=8500, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62589, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10556153, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 11:44:11.316, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655034180_7167', total_run_time=21.34, event_count=0, result_count=0, available_count=0, scan_count=3383, drop_count=0, exec_time=1655034218, api_et=1655030580.000000000, api_lt=1655034180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655030580.000000000, search_lt=1655034220.135641000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_457db54a8030c01f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=3383, total_slices=928790, decompressed_slices=914, duration.command.search.index=1059, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4788, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 11:35:11.394, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655033580_6960', total_run_time=35.16, event_count=0, result_count=0, available_count=0, scan_count=40148139, drop_count=0, exec_time=1655033605, api_et=1655029980.000000000, api_lt=1655033580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655029980.000000000, search_lt=1655033607.545457000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0fd4d473766e4552", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1877, eliminated_buckets=134, considered_events=40148139, total_slices=14007067, decompressed_slices=3951667, duration.command.search.index=14227, invocations.command.search.index.bucketcache.hit=1877, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=218461, invocations.command.search.rawdata.bucketcache.hit=287, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 11:16:28.448, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655032560_6620', total_run_time=8.98, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655032570, api_et=1655028360.000000000, api_lt=1655031960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655028960.000000000, search_lt=1655032572.212230000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3228", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8f4560dd1653d8f6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1017, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=627, invocations.command.search.index.bucketcache.hit=1017, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 11:14:33.542, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655032440_6579', total_run_time=4.33, event_count=0, result_count=0, available_count=0, scan_count=10666, drop_count=0, exec_time=1655032463, api_et=1655028840.000000000, api_lt=1655032440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655028840.000000000, search_lt=1655032464.978367000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=292, considered_events=10744, total_slices=755025, decompressed_slices=2070, duration.command.search.index=931, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5364, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=24, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=86, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=16, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=17, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 11:11:28.285, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655032260_6513', total_run_time=5.23, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655032264, api_et=1655028660.000000000, api_lt=1655032260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655028660.000000000, search_lt=1655032266.483761000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3103", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2e9325a1e0972d75", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=42, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 11:09:27.987, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655032140_6480', total_run_time=19.27, event_count=0, result_count=0, available_count=0, scan_count=3679146, drop_count=0, exec_time=1655032146, api_et=1655027940.000000000, api_lt=1655031540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655027940.000000000, search_lt=1655031540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3096", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_da0a938eeec1c5c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=786, eliminated_buckets=361, considered_events=3679146, total_slices=1137360, decompressed_slices=168058, duration.command.search.index=1560, invocations.command.search.index.bucketcache.hit=782, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27361, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 11:09:01.638, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655032020_6461', total_run_time=21.48, event_count=1122, result_count=54, available_count=0, scan_count=282835, drop_count=0, exec_time=1655032080, api_et=1655028420.000000000, api_lt=1655032020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655028420.000000000, search_lt=1655032082.470091000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=204, considered_events=292221, total_slices=613660, decompressed_slices=74314, duration.command.search.index=3004, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21499, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=231965, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 11:07:58.094, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655032020_6456', total_run_time=5.28, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1655032046, api_et=1655028420.000000000, api_lt=1655032020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655028420.000000000, search_lt=1655032048.750016000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2849", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3d7a836546eda95", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=204, considered_events=1, total_slices=867, decompressed_slices=1, duration.command.search.index=603, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=125, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:44:45.689, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655030580_5988', total_run_time=21.36, event_count=0, result_count=0, available_count=0, scan_count=3743, drop_count=0, exec_time=1655030618, api_et=1655026980.000000000, api_lt=1655030580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655026980.000000000, search_lt=1655030620.103391000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_801f54ec4257dcde", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=3743, total_slices=969825, decompressed_slices=1004, duration.command.search.index=1073, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4849, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:37:41.771, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655029980_5777', total_run_time=41.40, event_count=0, result_count=0, available_count=0, scan_count=40111615, drop_count=0, exec_time=1655030005, api_et=1655026380.000000000, api_lt=1655029980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655026380.000000000, search_lt=1655030007.670242000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1f67556af70fca51", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1862, eliminated_buckets=134, considered_events=40111615, total_slices=13981363, decompressed_slices=3952122, duration.command.search.index=14547, invocations.command.search.index.bucketcache.hit=1861, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222795, invocations.command.search.rawdata.bucketcache.hit=275, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:16:37.319, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655028960_5426', total_run_time=9.17, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655028971, api_et=1655024760.000000000, api_lt=1655028360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655025360.000000000, search_lt=1655028972.879965000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3127", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dfcc444fdd57c02d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1016, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=717, invocations.command.search.index.bucketcache.hit=1016, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:14:37.395, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655028840_5386', total_run_time=4.82, event_count=0, result_count=0, available_count=0, scan_count=11375, drop_count=0, exec_time=1655028863, api_et=1655025240.000000000, api_lt=1655028840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655025240.000000000, search_lt=1655028865.182718000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=284, considered_events=11375, total_slices=772906, decompressed_slices=1896, duration.command.search.index=912, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5742, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=19, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=24, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=72, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=16, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=18, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 10:11:25.063, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655028660_5319', total_run_time=5.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655028664, api_et=1655025060.000000000, api_lt=1655028660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655025060.000000000, search_lt=1655028666.712872000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3097", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ea0b75508f8ec125", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=50, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:10:59.938, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655028540_5287', total_run_time=18.47, event_count=0, result_count=0, available_count=0, scan_count=3731643, drop_count=0, exec_time=1655028545, api_et=1655024340.000000000, api_lt=1655027940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024340.000000000, search_lt=1655027940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3045", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb95cc774cfa8cb6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=365, considered_events=3731643, total_slices=1076421, decompressed_slices=171877, duration.command.search.index=1597, invocations.command.search.index.bucketcache.hit=783, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28095, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 10:10:59.313, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655028420_5267', total_run_time=15.06, event_count=1100, result_count=54, available_count=0, scan_count=285041, drop_count=0, exec_time=1655028480, api_et=1655024820.000000000, api_lt=1655028420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024820.000000000, search_lt=1655028481.984151000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=291671, total_slices=596244, decompressed_slices=69491, duration.command.search.index=2560, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20886, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=233565, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 10:08:01.485, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655028420_5262', total_run_time=6.68, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655028446, api_et=1655024820.000000000, api_lt=1655028420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655024820.000000000, search_lt=1655028448.172728000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_439c6d957e2846be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=682, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:44:03.698, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655026980_4796', total_run_time=21.85, event_count=0, result_count=0, available_count=0, scan_count=3121, drop_count=0, exec_time=1655027018, api_et=1655023380.000000000, api_lt=1655026980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655023380.000000000, search_lt=1655027020.207059000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2974", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f93ed181aca8a3e2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=3121, total_slices=748602, decompressed_slices=752, duration.command.search.index=1078, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4844, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:43:29.238, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655026380_4589', total_run_time=42.36, event_count=0, result_count=0, available_count=0, scan_count=40087538, drop_count=0, exec_time=1655026405, api_et=1655022780.000000000, api_lt=1655026380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655022780.000000000, search_lt=1655026407.989973000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3996", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_089ed1474975b067", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1864, eliminated_buckets=134, considered_events=40087538, total_slices=13853443, decompressed_slices=3940812, duration.command.search.index=16275, invocations.command.search.index.bucketcache.hit=1864, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=221131, invocations.command.search.rawdata.bucketcache.hit=273, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:16:25.650, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655025360_4244', total_run_time=8.48, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655025370, api_et=1655021160.000000000, api_lt=1655024760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021760.000000000, search_lt=1655025372.638017000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3151", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_220a20b53f33988f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1016, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=624, invocations.command.search.index.bucketcache.hit=1016, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:14:54.363, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655025240_4204', total_run_time=4.39, event_count=0, result_count=0, available_count=0, scan_count=12100, drop_count=0, exec_time=1655025263, api_et=1655021640.000000000, api_lt=1655025240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021640.000000000, search_lt=1655025265.377867000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2710", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=289, considered_events=12103, total_slices=787067, decompressed_slices=2217, duration.command.search.index=840, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5533, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=29, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=89, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=19, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 09:11:24.604, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655025060_4136', total_run_time=5.42, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655025064, api_et=1655021460.000000000, api_lt=1655025060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021460.000000000, search_lt=1655025066.717000000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3280", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_93fc2f2193d92b24", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:10:25.228, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655024820_4083', total_run_time=21.68, event_count=1069, result_count=54, available_count=0, scan_count=277196, drop_count=0, exec_time=1655024880, api_et=1655021220.000000000, api_lt=1655024820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021220.000000000, search_lt=1655024882.334865000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=203, considered_events=284371, total_slices=660549, decompressed_slices=71352, duration.command.search.index=2613, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20717, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=225067, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 09:10:25.074, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655024940_4102', total_run_time=17.68, event_count=0, result_count=0, available_count=0, scan_count=3912827, drop_count=0, exec_time=1655024945, api_et=1655020740.000000000, api_lt=1655024340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655020740.000000000, search_lt=1655024340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d168876ffd85fe78", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=357, considered_events=3912827, total_slices=1125273, decompressed_slices=175363, duration.command.search.index=1642, invocations.command.search.index.bucketcache.hit=780, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29155, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:07:42.156, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655024820_4078', total_run_time=5.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655024846, api_et=1655021220.000000000, api_lt=1655024820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655021220.000000000, search_lt=1655024848.619728000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_caeb4cfc8c84ac91", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=581, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 09:00:21.455, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024340_3885', total_run_time=13.34, event_count=0, result_count=0, available_count=0, scan_count=18966608, drop_count=0, exec_time=1655024390, api_et=1655009940.000000000, api_lt=1655024340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009940.000000000, search_lt=1655024340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18966608, total_slices=1214974, decompressed_slices=358812, duration.command.search.index=6484, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53712, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10686237, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:59:13.434, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024280_3872', total_run_time=11.86, event_count=0, result_count=0, available_count=0, scan_count=18964161, drop_count=0, exec_time=1655024329, api_et=1655009880.000000000, api_lt=1655024280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009880.000000000, search_lt=1655024280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18964161, total_slices=1213261, decompressed_slices=358793, duration.command.search.index=6691, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50265, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10684054, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:59:12.862, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024220_3855', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=18964989, drop_count=0, exec_time=1655024269, api_et=1655009820.000000000, api_lt=1655024220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009820.000000000, search_lt=1655024220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18964989, total_slices=1211748, decompressed_slices=358830, duration.command.search.index=6776, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50560, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683137, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:57:02.800, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024160_3837', total_run_time=12.10, event_count=0, result_count=0, available_count=0, scan_count=18968762, drop_count=0, exec_time=1655024209, api_et=1655009760.000000000, api_lt=1655024160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009760.000000000, search_lt=1655024160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18968762, total_slices=1210130, decompressed_slices=358864, duration.command.search.index=6634, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51934, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10684666, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:56:03.443, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024100_3826', total_run_time=13.40, event_count=0, result_count=0, available_count=0, scan_count=18967510, drop_count=0, exec_time=1655024149, api_et=1655009700.000000000, api_lt=1655024100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009700.000000000, search_lt=1655024100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3250", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18967510, total_slices=1208548, decompressed_slices=358809, duration.command.search.index=6734, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51119, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683851, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:55:02.850, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655024040_3810', total_run_time=12.35, event_count=0, result_count=0, available_count=0, scan_count=18964876, drop_count=0, exec_time=1655024090, api_et=1655009640.000000000, api_lt=1655024040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009640.000000000, search_lt=1655024040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18964876, total_slices=1206964, decompressed_slices=358767, duration.command.search.index=6762, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49186, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10682592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:54:03.284, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023980_3793', total_run_time=11.65, event_count=0, result_count=0, available_count=0, scan_count=18963977, drop_count=0, exec_time=1655024029, api_et=1655009580.000000000, api_lt=1655023980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009580.000000000, search_lt=1655023980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18963977, total_slices=1205310, decompressed_slices=358828, duration.command.search.index=7002, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51414, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10681733, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:53:02.713, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023920_3768', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=18962672, drop_count=0, exec_time=1655023969, api_et=1655009520.000000000, api_lt=1655023920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009520.000000000, search_lt=1655023920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18962672, total_slices=1203692, decompressed_slices=358874, duration.command.search.index=7058, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52629, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10679778, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:52:30.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023620_3664', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=18966979, drop_count=0, exec_time=1655023669, api_et=1655009220.000000000, api_lt=1655023620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009220.000000000, search_lt=1655023620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18966979, total_slices=1195773, decompressed_slices=358793, duration.command.search.index=6676, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51663, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10677941, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:52:29.442, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023860_3751', total_run_time=13.09, event_count=0, result_count=0, available_count=0, scan_count=18963986, drop_count=0, exec_time=1655023909, api_et=1655009460.000000000, api_lt=1655023860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009460.000000000, search_lt=1655023860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2583", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18963986, total_slices=1202123, decompressed_slices=358797, duration.command.search.index=7351, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52726, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678658, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:52:28.968, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023800_3727', total_run_time=15.87, event_count=0, result_count=0, available_count=0, scan_count=18964811, drop_count=0, exec_time=1655023850, api_et=1655009400.000000000, api_lt=1655023800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009400.000000000, search_lt=1655023800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18964811, total_slices=1200603, decompressed_slices=358720, duration.command.search.index=8107, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58198, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10679385, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:52:26.889, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023680_3681', total_run_time=12.31, event_count=0, result_count=0, available_count=0, scan_count=18965477, drop_count=0, exec_time=1655023729, api_et=1655009280.000000000, api_lt=1655023680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009280.000000000, search_lt=1655023680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18965477, total_slices=1197374, decompressed_slices=358688, duration.command.search.index=6770, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50612, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678014, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:52:26.867, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023740_3704', total_run_time=26.29, event_count=0, result_count=0, available_count=0, scan_count=18965459, drop_count=0, exec_time=1655023789, api_et=1655009340.000000000, api_lt=1655023740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009340.000000000, search_lt=1655023740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18965459, total_slices=1198966, decompressed_slices=358665, duration.command.search.index=10553, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=135093, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10679065, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:47:08.726, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023560_3642', total_run_time=12.21, event_count=0, result_count=0, available_count=0, scan_count=18969143, drop_count=0, exec_time=1655023609, api_et=1655009160.000000000, api_lt=1655023560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009160.000000000, search_lt=1655023560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18969143, total_slices=1194203, decompressed_slices=358768, duration.command.search.index=6619, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50564, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678708, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:46:08.737, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023500_3624', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=18969050, drop_count=0, exec_time=1655023550, api_et=1655009100.000000000, api_lt=1655023500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009100.000000000, search_lt=1655023500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18969050, total_slices=1219606, decompressed_slices=358725, duration.command.search.index=6913, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53644, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678886, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:45:25.890, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023440_3602', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=18969803, drop_count=0, exec_time=1655023490, api_et=1655009040.000000000, api_lt=1655023440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009040.000000000, search_lt=1655023440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3274", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18969803, total_slices=1217963, decompressed_slices=358766, duration.command.search.index=6718, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52399, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10677434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:45:00.233, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023320_3552', total_run_time=12.28, event_count=0, result_count=0, available_count=0, scan_count=18970602, drop_count=0, exec_time=1655023369, api_et=1655008920.000000000, api_lt=1655023320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008920.000000000, search_lt=1655023320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18970602, total_slices=1214790, decompressed_slices=358843, duration.command.search.index=6805, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51588, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10676028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:44:59.990, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023380_3581', total_run_time=13.05, event_count=0, result_count=0, available_count=0, scan_count=18968888, drop_count=0, exec_time=1655023429, api_et=1655008980.000000000, api_lt=1655023380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008980.000000000, search_lt=1655023380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3063", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18968888, total_slices=1216384, decompressed_slices=358765, duration.command.search.index=6876, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50899, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10675889, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:44:59.697, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655023380_3578', total_run_time=21.22, event_count=0, result_count=0, available_count=0, scan_count=3782, drop_count=0, exec_time=1655023417, api_et=1655019780.000000000, api_lt=1655023380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655019780.000000000, search_lt=1655023419.792472000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ca44e73b8e5487aa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3782, total_slices=813856, decompressed_slices=897, duration.command.search.index=1095, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4777, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:42:19.826, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023260_3529', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=18969893, drop_count=0, exec_time=1655023310, api_et=1655008860.000000000, api_lt=1655023260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008860.000000000, search_lt=1655023260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=18969893, total_slices=1213278, decompressed_slices=358826, duration.command.search.index=7074, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52504, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10675964, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:41:20.068, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023200_3504', total_run_time=14.38, event_count=0, result_count=0, available_count=0, scan_count=18967196, drop_count=0, exec_time=1655023249, api_et=1655008800.000000000, api_lt=1655023200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008800.000000000, search_lt=1655023200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18967196, total_slices=1211737, decompressed_slices=358763, duration.command.search.index=6942, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53124, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10674992, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:40:19.817, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023140_3482', total_run_time=12.59, event_count=0, result_count=0, available_count=0, scan_count=18967018, drop_count=0, exec_time=1655023190, api_et=1655008740.000000000, api_lt=1655023140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008740.000000000, search_lt=1655023140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18967018, total_slices=1210142, decompressed_slices=358787, duration.command.search.index=6527, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53065, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10674215, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:39:19.644, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023080_3465', total_run_time=12.67, event_count=0, result_count=0, available_count=0, scan_count=18965674, drop_count=0, exec_time=1655023129, api_et=1655008680.000000000, api_lt=1655023080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008680.000000000, search_lt=1655023080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18965674, total_slices=1208533, decompressed_slices=358799, duration.command.search.index=6982, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51185, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10672511, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:38:20.685, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655023020_3451', total_run_time=12.21, event_count=0, result_count=0, available_count=0, scan_count=18964515, drop_count=0, exec_time=1655023070, api_et=1655008620.000000000, api_lt=1655023020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008620.000000000, search_lt=1655023020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18964515, total_slices=1206914, decompressed_slices=358865, duration.command.search.index=6587, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51701, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10670645, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:37:47.017, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022720_3333', total_run_time=16.54, event_count=0, result_count=0, available_count=0, scan_count=18965062, drop_count=0, exec_time=1655022769, api_et=1655008320.000000000, api_lt=1655022720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008320.000000000, search_lt=1655022720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18965062, total_slices=1198920, decompressed_slices=359017, duration.command.search.index=7901, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55991, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10670718, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:37:46.911, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022840_3405', total_run_time=13.73, event_count=0, result_count=0, available_count=0, scan_count=18963266, drop_count=0, exec_time=1655022890, api_et=1655008440.000000000, api_lt=1655022840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008440.000000000, search_lt=1655022840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18963266, total_slices=1202194, decompressed_slices=358974, duration.command.search.index=7242, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50069, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10668884, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:37:46.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022900_3426', total_run_time=12.50, event_count=0, result_count=0, available_count=0, scan_count=18965359, drop_count=0, exec_time=1655022950, api_et=1655008500.000000000, api_lt=1655022900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008500.000000000, search_lt=1655022900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18965359, total_slices=1203831, decompressed_slices=358862, duration.command.search.index=6857, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49449, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10671432, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:37:46.336, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655022780_3355', total_run_time=66.32, event_count=0, result_count=0, available_count=0, scan_count=40212270, drop_count=0, exec_time=1655022805, api_et=1655019180.000000000, api_lt=1655022780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655019180.000000000, search_lt=1655022807.330832000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4a7b0f5a26069d07", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1884, eliminated_buckets=134, considered_events=40212270, total_slices=13975172, decompressed_slices=3946055, duration.command.search.index=20259, invocations.command.search.index.bucketcache.hit=1883, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=277923, invocations.command.search.rawdata.bucketcache.hit=285, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:37:46.123, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022780_3369', total_run_time=13.70, event_count=0, result_count=0, available_count=0, scan_count=18963372, drop_count=0, exec_time=1655022830, api_et=1655008380.000000000, api_lt=1655022780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008380.000000000, search_lt=1655022780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18963372, total_slices=1200633, decompressed_slices=358932, duration.command.search.index=7167, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53056, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10669894, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:37:45.973, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022960_3436', total_run_time=11.93, event_count=0, result_count=0, available_count=0, scan_count=18965892, drop_count=0, exec_time=1655023009, api_et=1655008560.000000000, api_lt=1655022960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008560.000000000, search_lt=1655022960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=18965892, total_slices=1205420, decompressed_slices=358906, duration.command.search.index=6647, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50633, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10672345, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:32:16.570, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022660_3304', total_run_time=15.76, event_count=0, result_count=0, available_count=0, scan_count=18968650, drop_count=0, exec_time=1655022709, api_et=1655008260.000000000, api_lt=1655022660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008260.000000000, search_lt=1655022660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3320", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18968650, total_slices=1224262, decompressed_slices=359045, duration.command.search.index=7448, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55817, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10672839, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:31:17.565, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022600_3276', total_run_time=15.06, event_count=0, result_count=0, available_count=0, scan_count=18972399, drop_count=0, exec_time=1655022650, api_et=1655008200.000000000, api_lt=1655022600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008200.000000000, search_lt=1655022600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18972399, total_slices=1222707, decompressed_slices=359055, duration.command.search.index=7276, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56638, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10675741, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:30:17.104, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022540_3247', total_run_time=12.22, event_count=0, result_count=0, available_count=0, scan_count=18976628, drop_count=0, exec_time=1655022589, api_et=1655008140.000000000, api_lt=1655022540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008140.000000000, search_lt=1655022540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18976628, total_slices=1221096, decompressed_slices=359086, duration.command.search.index=6556, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52400, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10676959, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:29:16.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022480_3233', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=18978594, drop_count=0, exec_time=1655022529, api_et=1655008080.000000000, api_lt=1655022480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008080.000000000, search_lt=1655022480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18978594, total_slices=1219552, decompressed_slices=359095, duration.command.search.index=6747, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51224, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:28:16.928, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022420_3219', total_run_time=11.67, event_count=0, result_count=0, available_count=0, scan_count=18981759, drop_count=0, exec_time=1655022469, api_et=1655008020.000000000, api_lt=1655022420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008020.000000000, search_lt=1655022420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18981759, total_slices=1217883, decompressed_slices=359148, duration.command.search.index=6680, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49424, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10682195, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:27:16.652, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022360_3201', total_run_time=11.65, event_count=0, result_count=0, available_count=0, scan_count=18983452, drop_count=0, exec_time=1655022409, api_et=1655007960.000000000, api_lt=1655022360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007960.000000000, search_lt=1655022360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18983452, total_slices=1216364, decompressed_slices=359115, duration.command.search.index=6766, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50941, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683995, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:26:17.162, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022300_3184', total_run_time=12.75, event_count=0, result_count=0, available_count=0, scan_count=18985932, drop_count=0, exec_time=1655022349, api_et=1655007900.000000000, api_lt=1655022300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007900.000000000, search_lt=1655022300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3418", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18985932, total_slices=1214796, decompressed_slices=359127, duration.command.search.index=6854, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51343, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10686961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:25:16.527, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022240_3172', total_run_time=14.58, event_count=0, result_count=0, available_count=0, scan_count=18984794, drop_count=0, exec_time=1655022289, api_et=1655007840.000000000, api_lt=1655022240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007840.000000000, search_lt=1655022240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18984794, total_slices=1213155, decompressed_slices=359155, duration.command.search.index=7304, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51769, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10686012, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:24:16.212, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022180_3153', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=18982848, drop_count=0, exec_time=1655022229, api_et=1655007780.000000000, api_lt=1655022180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007780.000000000, search_lt=1655022180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2549", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18982848, total_slices=1211666, decompressed_slices=359105, duration.command.search.index=6814, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51250, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10685470, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:23:29.131, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022120_3119', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18982192, drop_count=0, exec_time=1655022169, api_et=1655007720.000000000, api_lt=1655022120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007720.000000000, search_lt=1655022120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2364", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18982192, total_slices=1210071, decompressed_slices=359124, duration.command.search.index=6842, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51956, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10685466, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:22:16.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022060_3103', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=18982948, drop_count=0, exec_time=1655022109, api_et=1655007660.000000000, api_lt=1655022060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007660.000000000, search_lt=1655022060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2539", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18982948, total_slices=1208532, decompressed_slices=359137, duration.command.search.index=6965, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49933, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10687348, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:21:16.449, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655022000_3072', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=18980237, drop_count=0, exec_time=1655022048, api_et=1655007600.000000000, api_lt=1655022000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007600.000000000, search_lt=1655022000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18980237, total_slices=1206878, decompressed_slices=359043, duration.command.search.index=7090, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49555, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10686261, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:21:16.123, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1655022000_3076', total_run_time=13.34, event_count=10686261, result_count=15, available_count=0, scan_count=18980232, drop_count=0, exec_time=1655022057, api_et=1655007600.000000000, api_lt=1655022000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007600.000000000, search_lt=1655022000.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18980232, total_slices=1207116, decompressed_slices=359040, duration.command.search.index=6993, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49495, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10686261, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:20:16.531, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021940_3049', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=18977192, drop_count=0, exec_time=1655021990, api_et=1655007540.000000000, api_lt=1655021940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007540.000000000, search_lt=1655021940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18977192, total_slices=1205282, decompressed_slices=359053, duration.command.search.index=6830, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50981, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10684630, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:19:16.843, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021880_3023', total_run_time=13.23, event_count=0, result_count=0, available_count=0, scan_count=18977145, drop_count=0, exec_time=1655021930, api_et=1655007480.000000000, api_lt=1655021880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007480.000000000, search_lt=1655021880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18977145, total_slices=1203645, decompressed_slices=359029, duration.command.search.index=7243, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51932, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10684752, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:18:45.003, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021820_3003', total_run_time=11.97, event_count=0, result_count=0, available_count=0, scan_count=18976556, drop_count=0, exec_time=1655021870, api_et=1655007420.000000000, api_lt=1655021820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007420.000000000, search_lt=1655021820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18976556, total_slices=1202082, decompressed_slices=359074, duration.command.search.index=6673, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54343, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:17:16.801, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021760_2978', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=18978194, drop_count=0, exec_time=1655021809, api_et=1655007360.000000000, api_lt=1655021760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007360.000000000, search_lt=1655021760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18978194, total_slices=1200543, decompressed_slices=359050, duration.command.search.index=6761, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47461, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683709, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:16:46.990, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655021760_2972', total_run_time=9.41, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655021770, api_et=1655017560.000000000, api_lt=1655021160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655018160.000000000, search_lt=1655021772.835739000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c736ed0804d85cf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1020, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=616, invocations.command.search.index.bucketcache.hit=1020, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:16:16.457, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021700_2961', total_run_time=12.55, event_count=0, result_count=0, available_count=0, scan_count=18979006, drop_count=0, exec_time=1655021749, api_et=1655007300.000000000, api_lt=1655021700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007300.000000000, search_lt=1655021700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2431", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18979006, total_slices=1198921, decompressed_slices=359037, duration.command.search.index=6759, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53276, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10683693, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:15:16.704, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021640_2942', total_run_time=11.85, event_count=0, result_count=0, available_count=0, scan_count=18976747, drop_count=0, exec_time=1655021689, api_et=1655007240.000000000, api_lt=1655021640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007240.000000000, search_lt=1655021640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2842", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18976747, total_slices=1197325, decompressed_slices=359027, duration.command.search.index=6542, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50927, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10679869, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:14:46.568, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655021640_2929', total_run_time=4.39, event_count=0, result_count=0, available_count=0, scan_count=11401, drop_count=0, exec_time=1655021663, api_et=1655018040.000000000, api_lt=1655021640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655018040.000000000, search_lt=1655021665.306691000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=286, considered_events=11401, total_slices=766230, decompressed_slices=2214, duration.command.search.index=816, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5516, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=28, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=76, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=16, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=15, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 08:14:16.842, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021580_2919', total_run_time=11.37, event_count=0, result_count=0, available_count=0, scan_count=18976307, drop_count=0, exec_time=1655021629, api_et=1655007180.000000000, api_lt=1655021580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007180.000000000, search_lt=1655021580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18976307, total_slices=1195702, decompressed_slices=358935, duration.command.search.index=6664, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48518, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10679132, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:13:46.930, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021520_2892', total_run_time=12.84, event_count=0, result_count=0, available_count=0, scan_count=18976642, drop_count=0, exec_time=1655021569, api_et=1655007120.000000000, api_lt=1655021520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007120.000000000, search_lt=1655021520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18976642, total_slices=1194140, decompressed_slices=358952, duration.command.search.index=6870, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47869, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10678592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:12:17.469, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021460_2874', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=18974525, drop_count=0, exec_time=1655021509, api_et=1655007060.000000000, api_lt=1655021460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007060.000000000, search_lt=1655021460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18974525, total_slices=1192609, decompressed_slices=358874, duration.command.search.index=6911, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50325, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10677659, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:11:16.750, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021400_2848', total_run_time=12.44, event_count=0, result_count=0, available_count=0, scan_count=18974513, drop_count=0, exec_time=1655021450, api_et=1655007000.000000000, api_lt=1655021400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007000.000000000, search_lt=1655021400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18974513, total_slices=1191085, decompressed_slices=358868, duration.command.search.index=6849, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52495, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10677276, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:11:16.366, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655021460_2855', total_run_time=5.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655021464, api_et=1655017860.000000000, api_lt=1655021460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655017860.000000000, search_lt=1655021466.856001000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3181", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_873a5b9fd46d98d0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:10:33.730, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655021220_2799', total_run_time=22.29, event_count=1178, result_count=54, available_count=0, scan_count=301441, drop_count=0, exec_time=1655021280, api_et=1655017620.000000000, api_lt=1655021220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655017620.000000000, search_lt=1655021282.252178000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=306904, total_slices=677704, decompressed_slices=80027, duration.command.search.index=2803, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22645, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=247518, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27866, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 08:10:33.521, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021340_2828', total_run_time=12.33, event_count=0, result_count=0, available_count=0, scan_count=18971732, drop_count=0, exec_time=1655021389, api_et=1655006940.000000000, api_lt=1655021340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006940.000000000, search_lt=1655021340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18971732, total_slices=1189420, decompressed_slices=358839, duration.command.search.index=6898, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48528, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10674499, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:10:33.043, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655021220_2791', total_run_time=5.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655021246, api_et=1655017620.000000000, api_lt=1655021220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655017620.000000000, search_lt=1655021247.879178000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_90dc1751c12bd0bd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=565, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:10:33.035, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655021340_2820', total_run_time=17.21, event_count=0, result_count=0, available_count=0, scan_count=3848015, drop_count=0, exec_time=1655021345, api_et=1655017140.000000000, api_lt=1655020740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655017140.000000000, search_lt=1655020740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3fbdfb0d008812e8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=787, eliminated_buckets=363, considered_events=3848015, total_slices=1123133, decompressed_slices=170179, duration.command.search.index=1589, invocations.command.search.index.bucketcache.hit=787, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28088, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=82, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 08:10:32.263, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021220_2796', total_run_time=11.63, event_count=0, result_count=0, available_count=0, scan_count=18972673, drop_count=0, exec_time=1655021270, api_et=1655006820.000000000, api_lt=1655021220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006820.000000000, search_lt=1655021220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18972673, total_slices=1186212, decompressed_slices=358977, duration.command.search.index=6638, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50191, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10672873, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:10:31.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021280_2812', total_run_time=11.52, event_count=0, result_count=0, available_count=0, scan_count=18971569, drop_count=0, exec_time=1655021330, api_et=1655006880.000000000, api_lt=1655021280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006880.000000000, search_lt=1655021280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2558", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18971569, total_slices=1187777, decompressed_slices=358890, duration.command.search.index=6783, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49074, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10673169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:07:30.688, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021160_2774', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=18967822, drop_count=0, exec_time=1655021210, api_et=1655006760.000000000, api_lt=1655021160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006760.000000000, search_lt=1655021160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18967822, total_slices=1184144, decompressed_slices=358910, duration.command.search.index=6861, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53775, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10671143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:06:30.122, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021100_2760', total_run_time=11.71, event_count=0, result_count=0, available_count=0, scan_count=18964673, drop_count=0, exec_time=1655021150, api_et=1655006700.000000000, api_lt=1655021100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006700.000000000, search_lt=1655021100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18964673, total_slices=1183107, decompressed_slices=358907, duration.command.search.index=6733, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51582, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10670125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:05:30.507, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655021040_2743', total_run_time=14.01, event_count=0, result_count=0, available_count=0, scan_count=18956148, drop_count=0, exec_time=1655021090, api_et=1655006640.000000000, api_lt=1655021040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006640.000000000, search_lt=1655021040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18956148, total_slices=1180925, decompressed_slices=358772, duration.command.search.index=7519, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55324, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10663346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:04:30.581, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655020980_2701', total_run_time=14.35, event_count=0, result_count=0, available_count=0, scan_count=18957120, drop_count=0, exec_time=1655021030, api_et=1655006580.000000000, api_lt=1655020980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006580.000000000, search_lt=1655020980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18957120, total_slices=1179842, decompressed_slices=358869, duration.command.search.index=8236, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61758, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10664536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:03:29.520, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655020920_2654', total_run_time=14.61, event_count=0, result_count=0, available_count=0, scan_count=18957464, drop_count=0, exec_time=1655020969, api_et=1655006520.000000000, api_lt=1655020920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006520.000000000, search_lt=1655020920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18957464, total_slices=1178318, decompressed_slices=358823, duration.command.search.index=7324, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58801, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10664376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:02:29.517, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655020860_2623', total_run_time=14.65, event_count=0, result_count=0, available_count=0, scan_count=18958105, drop_count=0, exec_time=1655020909, api_et=1655006460.000000000, api_lt=1655020860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006460.000000000, search_lt=1655020860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2542", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18958105, total_slices=1176633, decompressed_slices=358808, duration.command.search.index=7918, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56892, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10666580, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 08:01:29.488, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655020800_2593', total_run_time=20.22, event_count=0, result_count=0, available_count=0, scan_count=18956841, drop_count=0, exec_time=1655020849, api_et=1655006400.000000000, api_lt=1655020800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006400.000000000, search_lt=1655020800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2419", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=18956841, total_slices=1174997, decompressed_slices=358786, duration.command.search.index=9365, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70032, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10664065, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 07:44:20.221, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655019780_2307', total_run_time=21.03, event_count=0, result_count=0, available_count=0, scan_count=2735, drop_count=0, exec_time=1655019817, api_et=1655016180.000000000, api_lt=1655019780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655016180.000000000, search_lt=1655019819.806530000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3668a5303f9c2f3b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=2735, total_slices=678192, decompressed_slices=668, duration.command.search.index=1063, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4710, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 07:34:05.293, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655019180_2102', total_run_time=36.34, event_count=0, result_count=0, available_count=0, scan_count=40435206, drop_count=0, exec_time=1655019204, api_et=1655015580.000000000, api_lt=1655019180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655015580.000000000, search_lt=1655019206.903007000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_684bb636c76de726", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1903, eliminated_buckets=134, considered_events=40435206, total_slices=14075994, decompressed_slices=3967715, duration.command.search.index=14204, invocations.command.search.index.bucketcache.hit=1901, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=221996, invocations.command.search.rawdata.bucketcache.hit=282, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 07:16:45.758, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655018160_1763', total_run_time=8.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655018170, api_et=1655013960.000000000, api_lt=1655017560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655014560.000000000, search_lt=1655018172.411686000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3243", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_19bed6a61b41ef7e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=337, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=830, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 07:14:45.858, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655018040_1723', total_run_time=5.01, event_count=0, result_count=0, available_count=0, scan_count=12177, drop_count=0, exec_time=1655018063, api_et=1655014440.000000000, api_lt=1655018040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655014440.000000000, search_lt=1655018065.195655000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2837", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=286, considered_events=12178, total_slices=765161, decompressed_slices=1877, duration.command.search.index=885, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5362, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=32, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=92, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=19, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=20, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 07:11:15.709, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655017860_1657', total_run_time=5.70, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655017864, api_et=1655014260.000000000, api_lt=1655017860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655014260.000000000, search_lt=1655017867.693910000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_814c74945eb406d1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 07:10:31.990, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655017740_1626', total_run_time=18.60, event_count=0, result_count=0, available_count=0, scan_count=3957257, drop_count=0, exec_time=1655017746, api_et=1655013540.000000000, api_lt=1655017140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655013540.000000000, search_lt=1655017140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3123", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d4d16c937862787e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=782, eliminated_buckets=361, considered_events=3957257, total_slices=1053383, decompressed_slices=173514, duration.command.search.index=1587, invocations.command.search.index.bucketcache.hit=781, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29029, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=91, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 07:10:31.614, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655017620_1613', total_run_time=21.58, event_count=1077, result_count=54, available_count=0, scan_count=273396, drop_count=0, exec_time=1655017684, api_et=1655014020.000000000, api_lt=1655017620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655014020.000000000, search_lt=1655017686.198484000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2989", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=204, considered_events=278477, total_slices=624375, decompressed_slices=84284, duration.command.search.index=2746, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21678, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=224492, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25292, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 07:07:44.275, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655017620_1603', total_run_time=5.00, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655017646, api_et=1655014020.000000000, api_lt=1655017620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655014020.000000000, search_lt=1655017648.407096000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_422af86835673dce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=635, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:43:59.593, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655016180_1131', total_run_time=21.22, event_count=0, result_count=0, available_count=0, scan_count=3191, drop_count=0, exec_time=1655016218, api_et=1655012580.000000000, api_lt=1655016180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655012580.000000000, search_lt=1655016220.045340000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_409a76225d53296d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3191, total_slices=838761, decompressed_slices=898, duration.command.search.index=1100, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4891, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:36:33.121, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655015580_924', total_run_time=39.57, event_count=0, result_count=0, available_count=0, scan_count=40320750, drop_count=0, exec_time=1655015606, api_et=1655011980.000000000, api_lt=1655015580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655011980.000000000, search_lt=1655015608.007797000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9cbfa04717980804", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1865, eliminated_buckets=134, considered_events=40320750, total_slices=13884617, decompressed_slices=3965189, duration.command.search.index=13967, invocations.command.search.index.bucketcache.hit=1863, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223327, invocations.command.search.rawdata.bucketcache.hit=266, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:16:43.682, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655014560_572', total_run_time=16.48, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655014570, api_et=1655010360.000000000, api_lt=1655013960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655010960.000000000, search_lt=1655014572.683730000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3273", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aae61581a69fb046", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1018, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1122, invocations.command.search.index.bucketcache.hit=1018, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:14:40.033, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655014440_532', total_run_time=4.36, event_count=0, result_count=0, available_count=0, scan_count=15535, drop_count=0, exec_time=1655014463, api_et=1655010840.000000000, api_lt=1655014440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655010840.000000000, search_lt=1655014465.309569000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=285, considered_events=15538, total_slices=753863, decompressed_slices=2235, duration.command.search.index=912, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5528, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=112, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=26, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=18, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 06:11:13.555, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655014260_465', total_run_time=5.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655014264, api_et=1655010660.000000000, api_lt=1655014260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655010660.000000000, search_lt=1655014266.655086000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_78088a0cfd105809", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:09:43.682, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655014140_432', total_run_time=19.27, event_count=0, result_count=0, available_count=0, scan_count=3805855, drop_count=0, exec_time=1655014145, api_et=1655009940.000000000, api_lt=1655013540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655009940.000000000, search_lt=1655013540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3004", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_07f2d470d872bad8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=789, eliminated_buckets=360, considered_events=3805855, total_slices=1198000, decompressed_slices=168110, duration.command.search.index=1608, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28435, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=83, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 06:08:13.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655014020_411', total_run_time=12.87, event_count=1053, result_count=54, available_count=0, scan_count=275821, drop_count=0, exec_time=1655014080, api_et=1655010420.000000000, api_lt=1655014020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655010420.000000000, search_lt=1655014081.899859000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=202, considered_events=281521, total_slices=590923, decompressed_slices=67477, duration.command.search.index=2706, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20232, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=225507, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=24767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 06:07:43.713, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655014020_406', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655014046, api_et=1655010420.000000000, api_lt=1655014020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655010420.000000000, search_lt=1655014048.355227000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_71167f8c93f5dcf3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=631, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:44:23.270, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655012580_99940', total_run_time=20.79, event_count=0, result_count=0, available_count=0, scan_count=3075, drop_count=0, exec_time=1655012618, api_et=1655008980.000000000, api_lt=1655012580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008980.000000000, search_lt=1655012620.579138000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c7a1c23029b9ec78", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3075, total_slices=739497, decompressed_slices=750, duration.command.search.index=1048, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4733, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:34:23.336, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655011980_99735', total_run_time=40.32, event_count=0, result_count=0, available_count=0, scan_count=40772717, drop_count=0, exec_time=1655012005, api_et=1655008380.000000000, api_lt=1655011980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655008380.000000000, search_lt=1655012007.578803000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3bd10c2b0f102eb2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1876, eliminated_buckets=134, considered_events=40772717, total_slices=13908495, decompressed_slices=3983364, duration.command.search.index=14468, invocations.command.search.index.bucketcache.hit=1875, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=231206, invocations.command.search.rawdata.bucketcache.hit=279, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:16:36.170, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655010960_99399', total_run_time=8.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655010970, api_et=1655006760.000000000, api_lt=1655010360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007360.000000000, search_lt=1655010972.579083000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3288", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e84f15b9d5563d1a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1019, eliminated_buckets=339, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=887, invocations.command.search.index.bucketcache.hit=1019, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:14:36.071, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655010840_99358', total_run_time=6.15, event_count=0, result_count=0, available_count=0, scan_count=13170, drop_count=0, exec_time=1655010863, api_et=1655007240.000000000, api_lt=1655010840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007240.000000000, search_lt=1655010865.543489000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=285, considered_events=13289, total_slices=729208, decompressed_slices=2072, duration.command.search.index=904, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5716, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=25, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=85, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=18, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=20, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 05:11:35.908, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655010660_99292', total_run_time=4.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655010664, api_et=1655007060.000000000, api_lt=1655010660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655007060.000000000, search_lt=1655010666.475502000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c14575f00d36971a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:09:54.380, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655010540_99261', total_run_time=34.03, event_count=0, result_count=0, available_count=0, scan_count=3847942, drop_count=0, exec_time=1655010545, api_et=1655006340.000000000, api_lt=1655009940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006340.000000000, search_lt=1655009940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3129", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c1c07227f89d2ae1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=371, considered_events=3847942, total_slices=1151846, decompressed_slices=167375, duration.command.search.index=2090, invocations.command.search.index.bucketcache.hit=793, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41372, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=86, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:09:31.142, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655010420_99243', total_run_time=25.61, event_count=1087, result_count=54, available_count=0, scan_count=284057, drop_count=0, exec_time=1655010480, api_et=1655006820.000000000, api_lt=1655010420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006820.000000000, search_lt=1655010482.454689000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=291610, total_slices=530433, decompressed_slices=75605, duration.command.search.index=6732, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78456, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=232450, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26354, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 05:09:30.001, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655010420_99237', total_run_time=14.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655010446, api_et=1655006820.000000000, api_lt=1655010420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655006820.000000000, search_lt=1655010448.441981000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_763e0a411e539441", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1669, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 05:00:15.068, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009940_99042', total_run_time=12.52, event_count=0, result_count=0, available_count=0, scan_count=18492983, drop_count=0, exec_time=1655009990, api_et=1654995540.000000000, api_lt=1655009940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995540.000000000, search_lt=1655009940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18492983, total_slices=1208132, decompressed_slices=362235, duration.command.search.index=6250, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51432, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10365360, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:59:15.463, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009880_99029', total_run_time=11.61, event_count=0, result_count=0, available_count=0, scan_count=18494524, drop_count=0, exec_time=1655009929, api_et=1654995480.000000000, api_lt=1655009880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995480.000000000, search_lt=1655009880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3175", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18494524, total_slices=1206537, decompressed_slices=362205, duration.command.search.index=6630, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50427, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10365874, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:58:15.084, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009820_99014', total_run_time=11.27, event_count=0, result_count=0, available_count=0, scan_count=18491903, drop_count=0, exec_time=1655009869, api_et=1654995420.000000000, api_lt=1655009820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995420.000000000, search_lt=1655009820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18491903, total_slices=1204860, decompressed_slices=362269, duration.command.search.index=6519, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50096, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10364175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:57:15.248, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009760_98997', total_run_time=11.21, event_count=0, result_count=0, available_count=0, scan_count=18488337, drop_count=0, exec_time=1655009809, api_et=1654995360.000000000, api_lt=1655009760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995360.000000000, search_lt=1655009760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2547", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18488337, total_slices=1203274, decompressed_slices=362282, duration.command.search.index=6361, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52633, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10362245, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:56:15.362, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009700_98986', total_run_time=12.17, event_count=0, result_count=0, available_count=0, scan_count=18489023, drop_count=0, exec_time=1655009749, api_et=1654995300.000000000, api_lt=1655009700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995300.000000000, search_lt=1655009700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18489023, total_slices=1201754, decompressed_slices=362355, duration.command.search.index=6457, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50045, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10363630, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:55:15.077, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009640_98971', total_run_time=11.88, event_count=0, result_count=0, available_count=0, scan_count=18487472, drop_count=0, exec_time=1655009689, api_et=1654995240.000000000, api_lt=1655009640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995240.000000000, search_lt=1655009640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18487472, total_slices=1227032, decompressed_slices=362352, duration.command.search.index=6471, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49439, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10361955, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:54:13.736, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009580_98954', total_run_time=11.55, event_count=0, result_count=0, available_count=0, scan_count=18487755, drop_count=0, exec_time=1655009629, api_et=1654995180.000000000, api_lt=1655009580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995180.000000000, search_lt=1655009580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3052", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18487755, total_slices=1252429, decompressed_slices=362321, duration.command.search.index=6642, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47857, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10361689, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:54:12.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009520_98931', total_run_time=12.09, event_count=0, result_count=0, available_count=0, scan_count=18489386, drop_count=0, exec_time=1655009569, api_et=1654995120.000000000, api_lt=1655009520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995120.000000000, search_lt=1655009520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18489386, total_slices=1250768, decompressed_slices=362320, duration.command.search.index=6769, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51349, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10361974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:52:23.438, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009460_98914', total_run_time=12.42, event_count=0, result_count=0, available_count=0, scan_count=18487308, drop_count=0, exec_time=1655009509, api_et=1654995060.000000000, api_lt=1655009460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995060.000000000, search_lt=1655009460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18487308, total_slices=1249216, decompressed_slices=362308, duration.command.search.index=7224, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49778, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10360411, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:51:24.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009400_98890', total_run_time=13.88, event_count=0, result_count=0, available_count=0, scan_count=18484474, drop_count=0, exec_time=1655009449, api_et=1654995000.000000000, api_lt=1655009400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995000.000000000, search_lt=1655009400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18484474, total_slices=1274467, decompressed_slices=362440, duration.command.search.index=6897, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53991, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10357869, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:50:22.813, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009280_98845', total_run_time=12.65, event_count=0, result_count=0, available_count=0, scan_count=18481804, drop_count=0, exec_time=1655009329, api_et=1654994880.000000000, api_lt=1655009280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994880.000000000, search_lt=1655009280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18481804, total_slices=1271220, decompressed_slices=362315, duration.command.search.index=7400, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52645, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10357110, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:50:22.328, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009340_98866', total_run_time=12.07, event_count=0, result_count=0, available_count=0, scan_count=18482802, drop_count=0, exec_time=1655009390, api_et=1654994940.000000000, api_lt=1655009340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994940.000000000, search_lt=1655009340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18482802, total_slices=1272912, decompressed_slices=362451, duration.command.search.index=6752, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49104, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10357413, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:50:22.257, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009220_98829', total_run_time=13.57, event_count=0, result_count=0, available_count=0, scan_count=18480506, drop_count=0, exec_time=1655009269, api_et=1654994820.000000000, api_lt=1655009220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994820.000000000, search_lt=1655009220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18480506, total_slices=1296696, decompressed_slices=362253, duration.command.search.index=6921, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51438, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10355167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:47:15.584, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009160_98808', total_run_time=21.87, event_count=0, result_count=0, available_count=0, scan_count=18477883, drop_count=0, exec_time=1655009209, api_et=1654994760.000000000, api_lt=1655009160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994760.000000000, search_lt=1655009160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18477883, total_slices=1295235, decompressed_slices=362213, duration.command.search.index=10345, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=119806, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10352501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:46:14.904, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009100_98790', total_run_time=12.53, event_count=0, result_count=0, available_count=0, scan_count=18480369, drop_count=0, exec_time=1655009150, api_et=1654994700.000000000, api_lt=1655009100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994700.000000000, search_lt=1655009100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18480369, total_slices=1293691, decompressed_slices=362276, duration.command.search.index=6355, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52302, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10351819, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:45:15.054, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655009040_98766', total_run_time=11.71, event_count=0, result_count=0, available_count=0, scan_count=18478152, drop_count=0, exec_time=1655009089, api_et=1654994640.000000000, api_lt=1655009040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994640.000000000, search_lt=1655009040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18478152, total_slices=1292044, decompressed_slices=362307, duration.command.search.index=6490, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50708, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10351021, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:44:14.552, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008980_98746', total_run_time=11.82, event_count=0, result_count=0, available_count=0, scan_count=18476844, drop_count=0, exec_time=1655009029, api_et=1654994580.000000000, api_lt=1655008980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994580.000000000, search_lt=1655008980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3045", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18476844, total_slices=1290421, decompressed_slices=362356, duration.command.search.index=6798, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51014, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10349952, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:44:14.468, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655008980_98743', total_run_time=21.64, event_count=0, result_count=0, available_count=0, scan_count=3157, drop_count=0, exec_time=1655009018, api_et=1655005380.000000000, api_lt=1655008980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655005380.000000000, search_lt=1655009020.908280000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2944", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ff9df7fae599adce", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3157, total_slices=735733, decompressed_slices=818, duration.command.search.index=1093, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4949, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:43:14.614, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008920_98718', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=18476691, drop_count=0, exec_time=1655008969, api_et=1654994520.000000000, api_lt=1655008920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994520.000000000, search_lt=1655008920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18476691, total_slices=1288820, decompressed_slices=362360, duration.command.search.index=7126, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52494, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10348356, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:42:14.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008860_98695', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=18474665, drop_count=0, exec_time=1655008909, api_et=1654994460.000000000, api_lt=1655008860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994460.000000000, search_lt=1655008860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18474665, total_slices=1287336, decompressed_slices=362416, duration.command.search.index=7003, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51191, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10345563, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:41:15.415, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008800_98670', total_run_time=14.71, event_count=0, result_count=0, available_count=0, scan_count=18474069, drop_count=0, exec_time=1655008849, api_et=1654994400.000000000, api_lt=1655008800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994400.000000000, search_lt=1655008800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18474069, total_slices=1285736, decompressed_slices=362425, duration.command.search.index=6882, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51369, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10344472, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:40:14.556, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008740_98647', total_run_time=15.14, event_count=0, result_count=0, available_count=0, scan_count=18472890, drop_count=0, exec_time=1655008790, api_et=1654994340.000000000, api_lt=1655008740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994340.000000000, search_lt=1655008740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18472890, total_slices=1284157, decompressed_slices=362456, duration.command.search.index=6848, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50470, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10343420, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:39:14.597, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008680_98631', total_run_time=11.91, event_count=0, result_count=0, available_count=0, scan_count=18472469, drop_count=0, exec_time=1655008729, api_et=1654994280.000000000, api_lt=1655008680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994280.000000000, search_lt=1655008680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2623", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18472469, total_slices=1282471, decompressed_slices=362369, duration.command.search.index=6828, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50680, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10343189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:38:14.521, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008620_98616', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=18469685, drop_count=0, exec_time=1655008669, api_et=1654994220.000000000, api_lt=1655008620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994220.000000000, search_lt=1655008620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18469685, total_slices=1280845, decompressed_slices=362407, duration.command.search.index=6851, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49698, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340437, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:37:14.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008560_98601', total_run_time=13.32, event_count=0, result_count=0, available_count=0, scan_count=18465844, drop_count=0, exec_time=1655008609, api_et=1654994160.000000000, api_lt=1655008560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994160.000000000, search_lt=1655008560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18465844, total_slices=1279246, decompressed_slices=362389, duration.command.search.index=6738, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50239, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337130, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:36:14.656, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008500_98591', total_run_time=14.31, event_count=0, result_count=0, available_count=0, scan_count=18463267, drop_count=0, exec_time=1655008550, api_et=1654994100.000000000, api_lt=1655008500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994100.000000000, search_lt=1655008500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18463267, total_slices=1277761, decompressed_slices=362382, duration.command.search.index=7019, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49724, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10336584, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:35:14.734, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008440_98569', total_run_time=14.89, event_count=0, result_count=0, available_count=0, scan_count=18461263, drop_count=0, exec_time=1655008490, api_et=1654994040.000000000, api_lt=1655008440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994040.000000000, search_lt=1655008440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2762", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18461263, total_slices=1276179, decompressed_slices=362432, duration.command.search.index=7036, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52630, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10335845, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:34:44.800, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655008380_98519', total_run_time=55.08, event_count=0, result_count=0, available_count=0, scan_count=40670018, drop_count=0, exec_time=1655008405, api_et=1655004780.000000000, api_lt=1655008380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655004780.000000000, search_lt=1655008407.076876000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b0f5a214c86d069", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1883, eliminated_buckets=134, considered_events=40670018, total_slices=14082653, decompressed_slices=3975422, duration.command.search.index=15152, invocations.command.search.index.bucketcache.hit=1881, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=243556, invocations.command.search.rawdata.bucketcache.hit=286, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:34:14.762, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008380_98533', total_run_time=18.77, event_count=0, result_count=0, available_count=0, scan_count=18458124, drop_count=0, exec_time=1655008429, api_et=1654993980.000000000, api_lt=1655008380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993980.000000000, search_lt=1655008380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18458124, total_slices=1274532, decompressed_slices=362362, duration.command.search.index=8432, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67598, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10332909, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:33:14.678, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008320_98496', total_run_time=19.27, event_count=0, result_count=0, available_count=0, scan_count=18458150, drop_count=0, exec_time=1655008369, api_et=1654993920.000000000, api_lt=1655008320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993920.000000000, search_lt=1655008320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18458150, total_slices=1272889, decompressed_slices=362372, duration.command.search.index=8078, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66203, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10330454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:32:14.602, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008260_98467', total_run_time=16.83, event_count=0, result_count=0, available_count=0, scan_count=18455722, drop_count=0, exec_time=1655008309, api_et=1654993860.000000000, api_lt=1655008260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993860.000000000, search_lt=1655008260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18455722, total_slices=1271370, decompressed_slices=362442, duration.command.search.index=8233, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66647, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10327696, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:31:14.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008200_98437', total_run_time=19.56, event_count=0, result_count=0, available_count=0, scan_count=18450831, drop_count=0, exec_time=1655008248, api_et=1654993800.000000000, api_lt=1655008200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993800.000000000, search_lt=1655008200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18450831, total_slices=1269763, decompressed_slices=362460, duration.command.search.index=7954, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63603, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10324198, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:30:14.610, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008140_98407', total_run_time=19.12, event_count=0, result_count=0, available_count=0, scan_count=18446242, drop_count=0, exec_time=1655008190, api_et=1654993740.000000000, api_lt=1655008140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993740.000000000, search_lt=1655008140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18446242, total_slices=1294896, decompressed_slices=362434, duration.command.search.index=7057, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55055, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10321644, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:29:07.733, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008080_98394', total_run_time=15.76, event_count=0, result_count=0, available_count=0, scan_count=18443387, drop_count=0, exec_time=1655008129, api_et=1654993680.000000000, api_lt=1655008080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993680.000000000, search_lt=1655008080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18443387, total_slices=1293258, decompressed_slices=362402, duration.command.search.index=7231, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54799, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10317855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:28:52.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655008020_98379', total_run_time=14.44, event_count=0, result_count=0, available_count=0, scan_count=18439315, drop_count=0, exec_time=1655008069, api_et=1654993620.000000000, api_lt=1655008020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993620.000000000, search_lt=1655008020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18439315, total_slices=1291564, decompressed_slices=362398, duration.command.search.index=6939, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54097, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10313253, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:27:14.942, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007960_98361', total_run_time=14.31, event_count=0, result_count=0, available_count=0, scan_count=18436494, drop_count=0, exec_time=1655008009, api_et=1654993560.000000000, api_lt=1655007960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993560.000000000, search_lt=1655007960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18436494, total_slices=1289996, decompressed_slices=362418, duration.command.search.index=7216, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51684, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10310910, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:26:15.306, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007900_98345', total_run_time=15.43, event_count=0, result_count=0, available_count=0, scan_count=18432843, drop_count=0, exec_time=1655007949, api_et=1654993500.000000000, api_lt=1655007900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993500.000000000, search_lt=1655007900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3125", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18432843, total_slices=1315117, decompressed_slices=362474, duration.command.search.index=6883, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51339, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10308004, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:25:14.650, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007840_98331', total_run_time=14.86, event_count=0, result_count=0, available_count=0, scan_count=18432020, drop_count=0, exec_time=1655007890, api_et=1654993440.000000000, api_lt=1655007840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993440.000000000, search_lt=1655007840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18432020, total_slices=1313490, decompressed_slices=362483, duration.command.search.index=7721, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55311, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10306658, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:24:44.797, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007720_98279', total_run_time=17.14, event_count=0, result_count=0, available_count=0, scan_count=18431741, drop_count=0, exec_time=1655007770, api_et=1654993320.000000000, api_lt=1655007720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993320.000000000, search_lt=1655007720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18431741, total_slices=1310233, decompressed_slices=362533, duration.command.search.index=7144, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57272, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10303049, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:24:44.386, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007780_98312', total_run_time=15.06, event_count=0, result_count=0, available_count=0, scan_count=18432158, drop_count=0, exec_time=1655007829, api_et=1654993380.000000000, api_lt=1655007780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993380.000000000, search_lt=1655007780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18432158, total_slices=1311853, decompressed_slices=362526, duration.command.search.index=7331, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51755, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10305319, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:22:09.523, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007660_98263', total_run_time=18.05, event_count=0, result_count=0, available_count=0, scan_count=18428706, drop_count=0, exec_time=1655007709, api_et=1654993260.000000000, api_lt=1655007660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993260.000000000, search_lt=1655007660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18428706, total_slices=1308654, decompressed_slices=362590, duration.command.search.index=7632, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56649, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10299230, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:21:09.110, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007420_98164', total_run_time=14.44, event_count=0, result_count=0, available_count=0, scan_count=18424708, drop_count=0, exec_time=1655007469, api_et=1654993020.000000000, api_lt=1655007420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993020.000000000, search_lt=1655007420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18424708, total_slices=1302187, decompressed_slices=362524, duration.command.search.index=7802, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55978, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10294248, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:21:08.160, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007600_98234', total_run_time=16.60, event_count=0, result_count=0, available_count=0, scan_count=18428317, drop_count=0, exec_time=1655007649, api_et=1654993200.000000000, api_lt=1655007600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993200.000000000, search_lt=1655007600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18428317, total_slices=1306991, decompressed_slices=362612, duration.command.search.index=7787, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58924, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298505, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:21:06.700, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007540_98211', total_run_time=16.48, event_count=0, result_count=0, available_count=0, scan_count=18427179, drop_count=0, exec_time=1655007589, api_et=1654993140.000000000, api_lt=1655007540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993140.000000000, search_lt=1655007540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18427179, total_slices=1305523, decompressed_slices=362658, duration.command.search.index=6993, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53661, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296881, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:21:06.337, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007480_98185', total_run_time=17.43, event_count=0, result_count=0, available_count=0, scan_count=18425870, drop_count=0, exec_time=1655007529, api_et=1654993080.000000000, api_lt=1655007480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993080.000000000, search_lt=1655007480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18425870, total_slices=1303936, decompressed_slices=362563, duration.command.search.index=7971, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66994, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10295688, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:17:35.278, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007360_98141', total_run_time=15.75, event_count=0, result_count=0, available_count=0, scan_count=18423103, drop_count=0, exec_time=1655007409, api_et=1654992960.000000000, api_lt=1655007360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992960.000000000, search_lt=1655007360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18423103, total_slices=1300688, decompressed_slices=362505, duration.command.search.index=6863, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55100, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10292373, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:16:35.425, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655007360_98135', total_run_time=8.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655007370, api_et=1655003160.000000000, api_lt=1655006760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655003760.000000000, search_lt=1655007372.947896000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e9e14c3c4227cace", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=636, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:16:05.452, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007300_98123', total_run_time=14.07, event_count=0, result_count=0, available_count=0, scan_count=18419515, drop_count=0, exec_time=1655007349, api_et=1654992900.000000000, api_lt=1655007300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992900.000000000, search_lt=1655007300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18419515, total_slices=1299071, decompressed_slices=362470, duration.command.search.index=6518, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53882, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10290517, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:15:05.206, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007240_98104', total_run_time=14.42, event_count=0, result_count=0, available_count=0, scan_count=18418901, drop_count=0, exec_time=1655007289, api_et=1654992840.000000000, api_lt=1655007240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992840.000000000, search_lt=1655007240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18418901, total_slices=1297439, decompressed_slices=362424, duration.command.search.index=6303, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51378, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10291182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:14:35.317, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655007240_98091', total_run_time=4.40, event_count=0, result_count=0, available_count=0, scan_count=11666, drop_count=0, exec_time=1655007263, api_et=1655003640.000000000, api_lt=1655007240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655003640.000000000, search_lt=1655007265.267261000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=287, considered_events=11758, total_slices=681410, decompressed_slices=2055, duration.command.search.index=858, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5461, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=48, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=117, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=27, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=20, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 04:14:05.383, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007180_98081', total_run_time=12.01, event_count=0, result_count=0, available_count=0, scan_count=18416653, drop_count=0, exec_time=1655007229, api_et=1654992780.000000000, api_lt=1655007180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992780.000000000, search_lt=1655007180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2613", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18416653, total_slices=1295820, decompressed_slices=362368, duration.command.search.index=6636, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49072, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10288401, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:13:05.483, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007120_98054', total_run_time=14.50, event_count=0, result_count=0, available_count=0, scan_count=18415595, drop_count=0, exec_time=1655007169, api_et=1654992720.000000000, api_lt=1655007120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992720.000000000, search_lt=1655007120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18415595, total_slices=1294269, decompressed_slices=362393, duration.command.search.index=6933, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53423, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10285662, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:12:35.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007060_98036', total_run_time=15.66, event_count=0, result_count=0, available_count=0, scan_count=18417246, drop_count=0, exec_time=1655007109, api_et=1654992660.000000000, api_lt=1655007060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992660.000000000, search_lt=1655007060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18417246, total_slices=1292749, decompressed_slices=362481, duration.command.search.index=7299, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53632, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284813, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:11:35.363, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655007060_98018', total_run_time=5.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655007064, api_et=1655003460.000000000, api_lt=1655007060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655003460.000000000, search_lt=1655007066.399539000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3127", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_571861f3ac6eb805", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:11:35.322, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655007000_98011', total_run_time=15.61, event_count=0, result_count=0, available_count=0, scan_count=18415843, drop_count=0, exec_time=1655007050, api_et=1654992600.000000000, api_lt=1655007000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992600.000000000, search_lt=1655007000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18415843, total_slices=1291178, decompressed_slices=362450, duration.command.search.index=7038, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53475, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10283796, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:10:35.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006940_97990', total_run_time=18.83, event_count=0, result_count=0, available_count=0, scan_count=18416054, drop_count=0, exec_time=1655006989, api_et=1654992540.000000000, api_lt=1655006940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992540.000000000, search_lt=1655006940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18416054, total_slices=1289569, decompressed_slices=362431, duration.command.search.index=6979, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53070, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284681, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:09:35.393, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655006940_97982', total_run_time=19.93, event_count=0, result_count=0, available_count=0, scan_count=4009640, drop_count=0, exec_time=1655006946, api_et=1655002740.000000000, api_lt=1655006340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655002740.000000000, search_lt=1655006340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1d4d1095a954e04b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=361, considered_events=4009640, total_slices=1193329, decompressed_slices=175616, duration.command.search.index=1671, invocations.command.search.index.bucketcache.hit=782, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30884, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=84, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:09:05.417, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006880_97974', total_run_time=13.83, event_count=0, result_count=0, available_count=0, scan_count=18415088, drop_count=0, exec_time=1655006929, api_et=1654992480.000000000, api_lt=1655006880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992480.000000000, search_lt=1655006880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18415088, total_slices=1287912, decompressed_slices=362396, duration.command.search.index=6685, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52691, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10283818, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:08:35.314, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006820_97957', total_run_time=15.81, event_count=0, result_count=0, available_count=0, scan_count=18413396, drop_count=0, exec_time=1655006869, api_et=1654992420.000000000, api_lt=1655006820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992420.000000000, search_lt=1655006820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18413396, total_slices=1286313, decompressed_slices=362322, duration.command.search.index=6778, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51879, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10282737, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:08:35.237, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655006820_97960', total_run_time=23.54, event_count=1162, result_count=54, available_count=0, scan_count=303163, drop_count=0, exec_time=1655006880, api_et=1655003220.000000000, api_lt=1655006820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655003220.000000000, search_lt=1655006882.166435000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=311060, total_slices=523442, decompressed_slices=83350, duration.command.search.index=3259, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24589, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=249448, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27485, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 04:07:35.524, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655006820_97952', total_run_time=5.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655006846, api_et=1655003220.000000000, api_lt=1655006820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655003220.000000000, search_lt=1655006848.764883000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_927cc55936fcbd25", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=691, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 04:07:35.366, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006760_97937', total_run_time=17.66, event_count=0, result_count=0, available_count=0, scan_count=18416371, drop_count=0, exec_time=1655006810, api_et=1654992360.000000000, api_lt=1655006760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992360.000000000, search_lt=1655006760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18416371, total_slices=1284803, decompressed_slices=362444, duration.command.search.index=7559, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53116, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10283003, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:06:35.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006700_97922', total_run_time=16.36, event_count=0, result_count=0, available_count=0, scan_count=18417411, drop_count=0, exec_time=1655006750, api_et=1654992300.000000000, api_lt=1655006700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992300.000000000, search_lt=1655006700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18417411, total_slices=1283291, decompressed_slices=362447, duration.command.search.index=7470, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56521, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10283355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:05:05.756, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006640_97904', total_run_time=15.01, event_count=0, result_count=0, available_count=0, scan_count=18418040, drop_count=0, exec_time=1655006690, api_et=1654992240.000000000, api_lt=1655006640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992240.000000000, search_lt=1655006640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2992", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18418040, total_slices=1281647, decompressed_slices=362413, duration.command.search.index=7465, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57940, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284909, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:04:35.260, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006580_97862', total_run_time=19.36, event_count=0, result_count=0, available_count=0, scan_count=18419056, drop_count=0, exec_time=1655006629, api_et=1654992180.000000000, api_lt=1655006580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992180.000000000, search_lt=1655006580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18419056, total_slices=1280140, decompressed_slices=362401, duration.command.search.index=8914, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77050, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10284926, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:03:05.253, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006520_97815', total_run_time=15.28, event_count=0, result_count=0, available_count=0, scan_count=18409500, drop_count=0, exec_time=1655006569, api_et=1654992120.000000000, api_lt=1655006520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992120.000000000, search_lt=1655006520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2837", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18409500, total_slices=1277798, decompressed_slices=362213, duration.command.search.index=7553, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60263, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10274402, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:02:07.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006460_97785', total_run_time=16.38, event_count=0, result_count=0, available_count=0, scan_count=18403213, drop_count=0, exec_time=1655006509, api_et=1654992060.000000000, api_lt=1655006460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992060.000000000, search_lt=1655006460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18403213, total_slices=1276830, decompressed_slices=362237, duration.command.search.index=7879, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61143, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10266949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 04:01:35.307, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1655006400_97753', total_run_time=17.99, event_count=0, result_count=0, available_count=0, scan_count=18403423, drop_count=0, exec_time=1655006450, api_et=1654992000.000000000, api_lt=1655006400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992000.000000000, search_lt=1655006400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18403423, total_slices=1275322, decompressed_slices=362270, duration.command.search.index=8346, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63907, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10269971, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 03:44:04.704, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655005380_97452', total_run_time=20.19, event_count=0, result_count=0, available_count=0, scan_count=3023, drop_count=0, exec_time=1655005418, api_et=1655001780.000000000, api_lt=1655005380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655001780.000000000, search_lt=1655005419.978412000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2245", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_520ccd681d599c3f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3023, total_slices=798208, decompressed_slices=800, duration.command.search.index=1043, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4819, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 03:36:59.344, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655004780_97242', total_run_time=37.99, event_count=0, result_count=0, available_count=0, scan_count=41080838, drop_count=0, exec_time=1655004805, api_et=1655001180.000000000, api_lt=1655004780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655001180.000000000, search_lt=1655004807.052428000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3958", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f486370d126259de", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1881, eliminated_buckets=134, considered_events=41080838, total_slices=14037037, decompressed_slices=4051916, duration.command.search.index=14221, invocations.command.search.index.bucketcache.hit=1880, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223186, invocations.command.search.rawdata.bucketcache.hit=272, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 03:16:16.904, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655003760_96897', total_run_time=6.42, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655003770, api_et=1654999560.000000000, api_lt=1655003160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655000160.000000000, search_lt=1655003772.082800000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3278", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1d0f2e46eb01fb4d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1012, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=631, invocations.command.search.index.bucketcache.hit=1012, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 03:14:46.882, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655003640_96856', total_run_time=5.00, event_count=0, result_count=0, available_count=0, scan_count=11935, drop_count=0, exec_time=1655003663, api_et=1655000040.000000000, api_lt=1655003640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1655000040.000000000, search_lt=1655003664.929053000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=287, considered_events=11935, total_slices=630342, decompressed_slices=1928, duration.command.search.index=864, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5426, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=130, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=28, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 03:11:16.887, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1655003460_96789', total_run_time=5.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655003464, api_et=1654999860.000000000, api_lt=1655003460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654999860.000000000, search_lt=1655003466.535643000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3c7ff783acda7605", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 03:09:47.064, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1655003340_96754', total_run_time=18.68, event_count=0, result_count=0, available_count=0, scan_count=3912448, drop_count=0, exec_time=1655003345, api_et=1654999140.000000000, api_lt=1655002740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654999140.000000000, search_lt=1655002740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3019", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_37087ca689282037", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=365, considered_events=3912448, total_slices=1176152, decompressed_slices=176128, duration.command.search.index=1644, invocations.command.search.index.bucketcache.hit=789, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29099, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=86, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 03:08:47.062, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1655003220_96741', total_run_time=22.18, event_count=1082, result_count=54, available_count=0, scan_count=288259, drop_count=0, exec_time=1655003284, api_et=1654999620.000000000, api_lt=1655003220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654999620.000000000, search_lt=1655003286.079254000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=295672, total_slices=486155, decompressed_slices=76068, duration.command.search.index=2614, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=21294, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=235636, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25969, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 03:07:47.176, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1655003220_96730', total_run_time=5.15, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655003246, api_et=1654999620.000000000, api_lt=1655003220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654999620.000000000, search_lt=1655003248.114265000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1a1854edb4b1bdfd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=584, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:44:29.196, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1655001780_96241', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=4227, drop_count=0, exec_time=1655001818, api_et=1654998180.000000000, api_lt=1655001780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654998180.000000000, search_lt=1655001819.976954000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_df46ae3c7b2c4e68", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=4227, total_slices=835677, decompressed_slices=1223, duration.command.search.index=1038, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4836, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:37:25.933, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1655001180_96031', total_run_time=35.48, event_count=0, result_count=0, available_count=0, scan_count=41431676, drop_count=0, exec_time=1655001205, api_et=1654997580.000000000, api_lt=1655001180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654997580.000000000, search_lt=1655001206.952314000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3520", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c2beab6f3faaea4c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1876, eliminated_buckets=134, considered_events=41431676, total_slices=13997768, decompressed_slices=4125269, duration.command.search.index=14350, invocations.command.search.index.bucketcache.hit=1876, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=224496, invocations.command.search.rawdata.bucketcache.hit=278, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:16:37.227, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1655000160_95680', total_run_time=7.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1655000170, api_et=1654995960.000000000, api_lt=1654999560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654996560.000000000, search_lt=1655000172.567140000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3386", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_543dc1439934fa06", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1013, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=635, invocations.command.search.index.bucketcache.hit=1013, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:14:27.755, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1655000040_95640', total_run_time=4.43, event_count=0, result_count=0, available_count=0, scan_count=11658, drop_count=0, exec_time=1655000063, api_et=1654996440.000000000, api_lt=1655000040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654996440.000000000, search_lt=1655000065.065975000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=285, considered_events=11664, total_slices=579811, decompressed_slices=1955, duration.command.search.index=936, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5584, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=274, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=27, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=21, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 02:11:23.878, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654999860_95574', total_run_time=6.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654999864, api_et=1654996260.000000000, api_lt=1654999860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654996260.000000000, search_lt=1654999866.625512000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2361", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7845c0138ed766ec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:09:53.953, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654999740_95543', total_run_time=19.31, event_count=0, result_count=0, available_count=0, scan_count=3885403, drop_count=0, exec_time=1654999746, api_et=1654995540.000000000, api_lt=1654999140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654995540.000000000, search_lt=1654999140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3061", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eed6efca399fc0e2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=360, considered_events=3885403, total_slices=1230626, decompressed_slices=175746, duration.command.search.index=1677, invocations.command.search.index.bucketcache.hit=787, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30019, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 02:08:23.870, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654999620_95522', total_run_time=19.64, event_count=2157, result_count=107, available_count=0, scan_count=371354, drop_count=0, exec_time=1654999680, api_et=1654996020.000000000, api_lt=1654999620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654996020.000000000, search_lt=1654999682.310851000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=201, considered_events=377396, total_slices=442090, decompressed_slices=86181, duration.command.search.index=3009, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25617, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=307775, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 02:07:40.069, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654999620_95517', total_run_time=5.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654999646, api_et=1654996020.000000000, api_lt=1654999620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654996020.000000000, search_lt=1654999648.064443000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_708d85863fa9908e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:44:13.348, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654998180_95047', total_run_time=21.05, event_count=0, result_count=0, available_count=0, scan_count=3579, drop_count=0, exec_time=1654998218, api_et=1654994580.000000000, api_lt=1654998180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654994580.000000000, search_lt=1654998220.219312000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2920", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_504aef4e64a5a1ea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3579, total_slices=758016, decompressed_slices=1046, duration.command.search.index=1012, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4822, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:36:48.541, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654997580_94840', total_run_time=40.12, event_count=0, result_count=0, available_count=0, scan_count=41327746, drop_count=0, exec_time=1654997605, api_et=1654993980.000000000, api_lt=1654997580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654993980.000000000, search_lt=1654997607.576433000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_53a9768015d672e2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1904, eliminated_buckets=134, considered_events=41327746, total_slices=14246374, decompressed_slices=4179615, duration.command.search.index=14081, invocations.command.search.index.bucketcache.hit=1903, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227952, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:16:34.741, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654996560_94498', total_run_time=7.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654996570, api_et=1654992360.000000000, api_lt=1654995960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992960.000000000, search_lt=1654996572.097791000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3224", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cc87b51abd59d4cb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1012, eliminated_buckets=337, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=628, invocations.command.search.index.bucketcache.hit=1012, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:14:50.353, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654996440_94458', total_run_time=4.20, event_count=0, result_count=0, available_count=0, scan_count=10229, drop_count=0, exec_time=1654996463, api_et=1654992840.000000000, api_lt=1654996440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992840.000000000, search_lt=1654996465.485320000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=288, considered_events=10238, total_slices=537189, decompressed_slices=2108, duration.command.search.index=1045, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5574, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=412, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=29, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=68, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 01:11:39.979, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654996260_94391', total_run_time=6.42, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654996264, api_et=1654992660.000000000, api_lt=1654996260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992660.000000000, search_lt=1654996266.832400000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3271", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ce810d9b2cacdde", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=103, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:09:30.884, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654996140_94360', total_run_time=19.62, event_count=0, result_count=0, available_count=0, scan_count=3725476, drop_count=0, exec_time=1654996145, api_et=1654991940.000000000, api_lt=1654995540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654991940.000000000, search_lt=1654995540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2982", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7605fb05757b6be8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=792, eliminated_buckets=368, considered_events=3725476, total_slices=1163002, decompressed_slices=171768, duration.command.search.index=1606, invocations.command.search.index.bucketcache.hit=791, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28042, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=91, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:08:59.307, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654996020_94347', total_run_time=20.40, event_count=1947, result_count=107, available_count=0, scan_count=386325, drop_count=0, exec_time=1654996084, api_et=1654992420.000000000, api_lt=1654996020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992420.000000000, search_lt=1654996085.988714000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=392983, total_slices=527608, decompressed_slices=84216, duration.command.search.index=3023, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24887, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=320841, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 01:07:40.021, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654996020_94336', total_run_time=5.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654996046, api_et=1654992420.000000000, api_lt=1654996020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654992420.000000000, search_lt=1654996047.970894000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_068b31abaea7867f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=690, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 01:00:10.896, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995540_94144', total_run_time=11.81, event_count=0, result_count=0, available_count=0, scan_count=18687605, drop_count=0, exec_time=1654995589, api_et=1654981140.000000000, api_lt=1654995540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981140.000000000, search_lt=1654995540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=2, considered_events=18687605, total_slices=1458181, decompressed_slices=355421, duration.command.search.index=6578, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51072, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10442055, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:59:11.655, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995480_94131', total_run_time=11.68, event_count=0, result_count=0, available_count=0, scan_count=18690797, drop_count=0, exec_time=1654995529, api_et=1654981080.000000000, api_lt=1654995480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981080.000000000, search_lt=1654995480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=2, considered_events=18690797, total_slices=1457049, decompressed_slices=355562, duration.command.search.index=6658, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51938, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10446318, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:58:11.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995420_94114', total_run_time=13.52, event_count=0, result_count=0, available_count=0, scan_count=18691025, drop_count=0, exec_time=1654995470, api_et=1654981020.000000000, api_lt=1654995420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981020.000000000, search_lt=1654995420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18691025, total_slices=1455498, decompressed_slices=355467, duration.command.search.index=6733, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53446, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10447162, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:57:10.123, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995360_94095', total_run_time=12.15, event_count=0, result_count=0, available_count=0, scan_count=18691836, drop_count=0, exec_time=1654995409, api_et=1654980960.000000000, api_lt=1654995360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980960.000000000, search_lt=1654995360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2556", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18691836, total_slices=1453875, decompressed_slices=355424, duration.command.search.index=6647, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51370, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10447240, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:56:11.469, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995300_94084', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=18692819, drop_count=0, exec_time=1654995349, api_et=1654980900.000000000, api_lt=1654995300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980900.000000000, search_lt=1654995300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18692819, total_slices=1451857, decompressed_slices=355477, duration.command.search.index=6958, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50540, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10447093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:55:11.526, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995240_94066', total_run_time=13.59, event_count=0, result_count=0, available_count=0, scan_count=18693920, drop_count=0, exec_time=1654995289, api_et=1654980840.000000000, api_lt=1654995240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980840.000000000, search_lt=1654995240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=18693920, total_slices=1450707, decompressed_slices=355440, duration.command.search.index=7010, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49308, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10448214, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:54:10.080, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995180_94049', total_run_time=13.82, event_count=0, result_count=0, available_count=0, scan_count=18694602, drop_count=0, exec_time=1654995229, api_et=1654980780.000000000, api_lt=1654995180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980780.000000000, search_lt=1654995180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18694602, total_slices=1449078, decompressed_slices=355454, duration.command.search.index=6915, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49798, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10448760, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:53:31.570, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995120_94023', total_run_time=13.18, event_count=0, result_count=0, available_count=0, scan_count=18692551, drop_count=0, exec_time=1654995169, api_et=1654980720.000000000, api_lt=1654995120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980720.000000000, search_lt=1654995120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18692551, total_slices=1447350, decompressed_slices=355433, duration.command.search.index=7312, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51393, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10447952, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:52:10.217, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995060_94006', total_run_time=12.61, event_count=0, result_count=0, available_count=0, scan_count=18692547, drop_count=0, exec_time=1654995110, api_et=1654980660.000000000, api_lt=1654995060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980660.000000000, search_lt=1654995060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2556", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18692547, total_slices=1445785, decompressed_slices=355438, duration.command.search.index=7094, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51820, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10449269, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:51:12.379, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654995000_93982', total_run_time=14.48, event_count=0, result_count=0, available_count=0, scan_count=18696181, drop_count=0, exec_time=1654995049, api_et=1654980600.000000000, api_lt=1654995000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980600.000000000, search_lt=1654995000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18696181, total_slices=1444208, decompressed_slices=355436, duration.command.search.index=7208, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57692, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10452019, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:50:24.403, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994940_93959', total_run_time=11.94, event_count=0, result_count=0, available_count=0, scan_count=18698166, drop_count=0, exec_time=1654994990, api_et=1654980540.000000000, api_lt=1654994940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980540.000000000, search_lt=1654994940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18698166, total_slices=1442501, decompressed_slices=355375, duration.command.search.index=6945, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49043, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10453539, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:49:55.908, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994820_93918', total_run_time=12.89, event_count=0, result_count=0, available_count=0, scan_count=18696626, drop_count=0, exec_time=1654994870, api_et=1654980420.000000000, api_lt=1654994820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980420.000000000, search_lt=1654994820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18696626, total_slices=1439195, decompressed_slices=355298, duration.command.search.index=6821, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51704, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10456279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:49:54.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994880_93935', total_run_time=12.76, event_count=0, result_count=0, available_count=0, scan_count=18697861, drop_count=0, exec_time=1654994929, api_et=1654980480.000000000, api_lt=1654994880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980480.000000000, search_lt=1654994880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18697861, total_slices=1440935, decompressed_slices=355403, duration.command.search.index=7223, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53432, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10454476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:47:13.332, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994760_93895', total_run_time=12.82, event_count=0, result_count=0, available_count=0, scan_count=18698980, drop_count=0, exec_time=1654994809, api_et=1654980360.000000000, api_lt=1654994760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980360.000000000, search_lt=1654994760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18698980, total_slices=1437669, decompressed_slices=355410, duration.command.search.index=6619, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49859, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10458521, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:46:12.228, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994700_93876', total_run_time=11.36, event_count=0, result_count=0, available_count=0, scan_count=18695303, drop_count=0, exec_time=1654994749, api_et=1654980300.000000000, api_lt=1654994700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980300.000000000, search_lt=1654994700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2410", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=18695303, total_slices=1436088, decompressed_slices=355335, duration.command.search.index=6717, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49321, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10458440, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:45:11.340, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994640_93853', total_run_time=14.42, event_count=0, result_count=0, available_count=0, scan_count=18696751, drop_count=0, exec_time=1654994690, api_et=1654980240.000000000, api_lt=1654994640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980240.000000000, search_lt=1654994640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3296", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18696751, total_slices=1434284, decompressed_slices=355313, duration.command.search.index=7006, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49229, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10460642, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:44:12.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994580_93832', total_run_time=12.23, event_count=0, result_count=0, available_count=0, scan_count=18697931, drop_count=0, exec_time=1654994629, api_et=1654980180.000000000, api_lt=1654994580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980180.000000000, search_lt=1654994580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2974", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18697931, total_slices=1459620, decompressed_slices=355404, duration.command.search.index=6699, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55899, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10461585, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:44:12.115, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654994580_93829', total_run_time=22.39, event_count=0, result_count=0, available_count=0, scan_count=3548, drop_count=0, exec_time=1654994618, api_et=1654990980.000000000, api_lt=1654994580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654990980.000000000, search_lt=1654994620.036486000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2869", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_517a963ddbe7471f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3548, total_slices=996832, decompressed_slices=808, duration.command.search.index=1130, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4883, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:43:12.543, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994520_93803', total_run_time=12.29, event_count=0, result_count=0, available_count=0, scan_count=18698658, drop_count=0, exec_time=1654994569, api_et=1654980120.000000000, api_lt=1654994520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980120.000000000, search_lt=1654994520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18698658, total_slices=1458051, decompressed_slices=355391, duration.command.search.index=6609, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51369, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10463338, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:42:11.450, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994460_93780', total_run_time=13.02, event_count=0, result_count=0, available_count=0, scan_count=18701486, drop_count=0, exec_time=1654994509, api_et=1654980060.000000000, api_lt=1654994460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980060.000000000, search_lt=1654994460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18701486, total_slices=1456480, decompressed_slices=355470, duration.command.search.index=6789, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51536, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10466310, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:41:12.114, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994400_93755', total_run_time=14.13, event_count=0, result_count=0, available_count=0, scan_count=18705484, drop_count=0, exec_time=1654994449, api_et=1654980000.000000000, api_lt=1654994400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980000.000000000, search_lt=1654994400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18705484, total_slices=1454909, decompressed_slices=355422, duration.command.search.index=7218, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53487, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10468291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:40:07.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994340_93733', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=18704788, drop_count=0, exec_time=1654994389, api_et=1654979940.000000000, api_lt=1654994340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979940.000000000, search_lt=1654994340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18704788, total_slices=1453295, decompressed_slices=355435, duration.command.search.index=6797, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49796, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10468613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:40:06.699, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994220_93701', total_run_time=15.91, event_count=0, result_count=0, available_count=0, scan_count=18710557, drop_count=0, exec_time=1654994270, api_et=1654979820.000000000, api_lt=1654994220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979820.000000000, search_lt=1654994220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18710557, total_slices=1450042, decompressed_slices=355455, duration.command.search.index=6702, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50515, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10473350, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:40:06.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994280_93717', total_run_time=12.41, event_count=0, result_count=0, available_count=0, scan_count=18706005, drop_count=0, exec_time=1654994329, api_et=1654979880.000000000, api_lt=1654994280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979880.000000000, search_lt=1654994280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2567", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18706005, total_slices=1451568, decompressed_slices=355423, duration.command.search.index=6832, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49827, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10469763, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:37:09.717, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994160_93686', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=18714013, drop_count=0, exec_time=1654994210, api_et=1654979760.000000000, api_lt=1654994160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979760.000000000, search_lt=1654994160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18714013, total_slices=1448429, decompressed_slices=355449, duration.command.search.index=6688, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48931, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10476410, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:36:11.341, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994100_93676', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=18716806, drop_count=0, exec_time=1654994150, api_et=1654979700.000000000, api_lt=1654994100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979700.000000000, search_lt=1654994100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18716806, total_slices=1446824, decompressed_slices=355424, duration.command.search.index=6631, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53074, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10478098, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:35:09.890, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654994040_93655', total_run_time=13.94, event_count=0, result_count=0, available_count=0, scan_count=18718360, drop_count=0, exec_time=1654994090, api_et=1654979640.000000000, api_lt=1654994040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979640.000000000, search_lt=1654994040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18718360, total_slices=1445218, decompressed_slices=355384, duration.command.search.index=7060, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52615, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10478872, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:34:37.168, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993920_93582', total_run_time=19.03, event_count=0, result_count=0, available_count=0, scan_count=18721972, drop_count=0, exec_time=1654993969, api_et=1654979520.000000000, api_lt=1654993920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979520.000000000, search_lt=1654993920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18721972, total_slices=1441819, decompressed_slices=355409, duration.command.search.index=8321, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65058, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10483683, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:34:36.570, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654993980_93605', total_run_time=46.62, event_count=0, result_count=0, available_count=0, scan_count=41183796, drop_count=0, exec_time=1654994005, api_et=1654990380.000000000, api_lt=1654993980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654990380.000000000, search_lt=1654994007.160706000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6d38e83a414feb03", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1911, eliminated_buckets=134, considered_events=41183796, total_slices=14371253, decompressed_slices=4177004, duration.command.search.index=14783, invocations.command.search.index.bucketcache.hit=1910, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=244122, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:34:35.994, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993980_93619', total_run_time=15.35, event_count=0, result_count=0, available_count=0, scan_count=18721272, drop_count=0, exec_time=1654994029, api_et=1654979580.000000000, api_lt=1654993980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979580.000000000, search_lt=1654993980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18721272, total_slices=1443517, decompressed_slices=355402, duration.command.search.index=8189, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59505, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10480792, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:32:11.120, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993860_93552', total_run_time=17.19, event_count=0, result_count=0, available_count=0, scan_count=18727077, drop_count=0, exec_time=1654993910, api_et=1654979460.000000000, api_lt=1654993860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979460.000000000, search_lt=1654993860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3309", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18727077, total_slices=1440326, decompressed_slices=355438, duration.command.search.index=7714, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59361, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10486858, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:31:42.504, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993800_93524', total_run_time=33.44, event_count=0, result_count=0, available_count=0, scan_count=18728739, drop_count=0, exec_time=1654993849, api_et=1654979400.000000000, api_lt=1654993800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979400.000000000, search_lt=1654993800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2794", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=18728739, total_slices=1438750, decompressed_slices=355371, duration.command.search.index=8132, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65672, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10487914, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:30:10.946, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993740_93495', total_run_time=12.85, event_count=0, result_count=0, available_count=0, scan_count=18730271, drop_count=0, exec_time=1654993790, api_et=1654979340.000000000, api_lt=1654993740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979340.000000000, search_lt=1654993740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2813", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18730271, total_slices=1437062, decompressed_slices=355356, duration.command.search.index=6729, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50905, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10487723, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:29:37.564, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993620_93466', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=18736025, drop_count=0, exec_time=1654993669, api_et=1654979220.000000000, api_lt=1654993620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979220.000000000, search_lt=1654993620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18736025, total_slices=1433713, decompressed_slices=355395, duration.command.search.index=6831, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50730, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10492231, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:29:36.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993680_93481', total_run_time=12.87, event_count=0, result_count=0, available_count=0, scan_count=18733390, drop_count=0, exec_time=1654993729, api_et=1654979280.000000000, api_lt=1654993680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979280.000000000, search_lt=1654993680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2933", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18733390, total_slices=1435409, decompressed_slices=355437, duration.command.search.index=6677, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52891, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10490568, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:27:13.978, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993560_93447', total_run_time=13.65, event_count=0, result_count=0, available_count=0, scan_count=18737671, drop_count=0, exec_time=1654993609, api_et=1654979160.000000000, api_lt=1654993560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979160.000000000, search_lt=1654993560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18737671, total_slices=1432134, decompressed_slices=355410, duration.command.search.index=6877, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49661, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10494373, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:26:14.128, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993500_93431', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=18737632, drop_count=0, exec_time=1654993549, api_et=1654979100.000000000, api_lt=1654993500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979100.000000000, search_lt=1654993500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18737632, total_slices=1430544, decompressed_slices=355356, duration.command.search.index=6772, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49423, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10493890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:25:44.706, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993440_93417', total_run_time=29.84, event_count=0, result_count=0, available_count=0, scan_count=18738352, drop_count=0, exec_time=1654993490, api_et=1654979040.000000000, api_lt=1654993440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979040.000000000, search_lt=1654993440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18738352, total_slices=1428847, decompressed_slices=355310, duration.command.search.index=7113, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55869, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10493891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:24:33.580, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993380_93398', total_run_time=30.30, event_count=0, result_count=0, available_count=0, scan_count=18740395, drop_count=0, exec_time=1654993429, api_et=1654978980.000000000, api_lt=1654993380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978980.000000000, search_lt=1654993380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18740395, total_slices=1427213, decompressed_slices=355310, duration.command.search.index=7221, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53108, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10495547, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:24:11.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993320_93365', total_run_time=30.68, event_count=0, result_count=0, available_count=0, scan_count=18743783, drop_count=0, exec_time=1654993369, api_et=1654978920.000000000, api_lt=1654993320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978920.000000000, search_lt=1654993320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3326", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18743783, total_slices=1425430, decompressed_slices=355284, duration.command.search.index=7578, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56927, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10499472, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:22:24.964, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993260_93349', total_run_time=26.72, event_count=0, result_count=0, available_count=0, scan_count=18744877, drop_count=0, exec_time=1654993309, api_et=1654978860.000000000, api_lt=1654993260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978860.000000000, search_lt=1654993260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18744877, total_slices=1423900, decompressed_slices=355388, duration.command.search.index=7143, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58787, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10502367, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:21:54.190, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654993200_93322', total_run_time=52.76, event_count=10503673, result_count=15, available_count=0, scan_count=18746975, drop_count=0, exec_time=1654993258, api_et=1654978800.000000000, api_lt=1654993200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978800.000000000, search_lt=1654993200.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18746975, total_slices=1422588, decompressed_slices=355372, duration.command.search.index=8904, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62782, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10503673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:21:54.098, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993200_93318', total_run_time=46.85, event_count=0, result_count=0, available_count=0, scan_count=18746975, drop_count=0, exec_time=1654993249, api_et=1654978800.000000000, api_lt=1654993200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978800.000000000, search_lt=1654993200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18746975, total_slices=1422389, decompressed_slices=355371, duration.command.search.index=7947, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64106, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10503673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:20:54.001, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993140_93293', total_run_time=48.24, event_count=0, result_count=0, available_count=0, scan_count=18749021, drop_count=0, exec_time=1654993189, api_et=1654978740.000000000, api_lt=1654993140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978740.000000000, search_lt=1654993140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18749021, total_slices=1420644, decompressed_slices=355373, duration.command.search.index=7458, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59440, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10504468, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:19:43.106, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993080_93268', total_run_time=42.16, event_count=0, result_count=0, available_count=0, scan_count=18752003, drop_count=0, exec_time=1654993129, api_et=1654978680.000000000, api_lt=1654993080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978680.000000000, search_lt=1654993080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18752003, total_slices=1419058, decompressed_slices=355437, duration.command.search.index=7394, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60868, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10506056, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:19:21.671, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654993020_93246', total_run_time=18.94, event_count=0, result_count=0, available_count=0, scan_count=18755445, drop_count=0, exec_time=1654993069, api_et=1654978620.000000000, api_lt=1654993020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978620.000000000, search_lt=1654993020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18755445, total_slices=1417408, decompressed_slices=355504, duration.command.search.index=7365, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57465, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10510238, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:17:46.231, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992960_93222', total_run_time=36.00, event_count=0, result_count=0, available_count=0, scan_count=18755997, drop_count=0, exec_time=1654993009, api_et=1654978560.000000000, api_lt=1654992960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978560.000000000, search_lt=1654992960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2603", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18755997, total_slices=1415720, decompressed_slices=355541, duration.command.search.index=7303, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61957, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10512766, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:16:45.421, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654992960_93216', total_run_time=8.23, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654992971, api_et=1654988760.000000000, api_lt=1654992360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654989360.000000000, search_lt=1654992973.561054000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3866", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_764b4fb3aea8273b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1012, eliminated_buckets=334, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=644, invocations.command.search.index.bucketcache.hit=1012, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:16:15.532, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992900_93206', total_run_time=24.75, event_count=0, result_count=0, available_count=0, scan_count=18757202, drop_count=0, exec_time=1654992950, api_et=1654978500.000000000, api_lt=1654992900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978500.000000000, search_lt=1654992900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18757202, total_slices=1414291, decompressed_slices=355466, duration.command.search.index=7708, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62820, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10514242, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:15:46.081, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992840_93186', total_run_time=27.09, event_count=0, result_count=0, available_count=0, scan_count=18756852, drop_count=0, exec_time=1654992890, api_et=1654978440.000000000, api_lt=1654992840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978440.000000000, search_lt=1654992840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2583", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18756852, total_slices=1412701, decompressed_slices=355419, duration.command.search.index=6486, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59509, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10514672, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:14:37.332, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654992840_93173', total_run_time=5.96, event_count=0, result_count=0, available_count=0, scan_count=9715, drop_count=0, exec_time=1654992863, api_et=1654989240.000000000, api_lt=1654992840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654989240.000000000, search_lt=1654992865.705099000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2870", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=286, considered_events=9731, total_slices=478518, decompressed_slices=2157, duration.command.search.index=1058, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5796, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=59, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=173, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=31, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-12-2022 00:14:20.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992780_93163', total_run_time=24.62, event_count=0, result_count=0, available_count=0, scan_count=18760789, drop_count=0, exec_time=1654992829, api_et=1654978380.000000000, api_lt=1654992780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978380.000000000, search_lt=1654992780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18760789, total_slices=1411088, decompressed_slices=355496, duration.command.search.index=6785, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52993, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10518315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:14:18.655, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992720_93134', total_run_time=36.26, event_count=0, result_count=0, available_count=0, scan_count=18763582, drop_count=0, exec_time=1654992769, api_et=1654978320.000000000, api_lt=1654992720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978320.000000000, search_lt=1654992720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18763582, total_slices=1409513, decompressed_slices=355544, duration.command.search.index=7122, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59552, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10522269, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:12:23.786, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992660_93116', total_run_time=26.66, event_count=0, result_count=0, available_count=0, scan_count=18763678, drop_count=0, exec_time=1654992709, api_et=1654978260.000000000, api_lt=1654992660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978260.000000000, search_lt=1654992660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3214", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=18763678, total_slices=1408025, decompressed_slices=355511, duration.command.search.index=7773, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55538, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10523884, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:11:24.234, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992600_93092', total_run_time=27.28, event_count=0, result_count=0, available_count=0, scan_count=18764359, drop_count=0, exec_time=1654992650, api_et=1654978200.000000000, api_lt=1654992600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978200.000000000, search_lt=1654992600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=18764359, total_slices=1433483, decompressed_slices=355474, duration.command.search.index=8198, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60295, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10524905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:11:14.958, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654992660_93099', total_run_time=6.39, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654992665, api_et=1654989060.000000000, api_lt=1654992660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654989060.000000000, search_lt=1654992666.850143000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2401", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_305df323261fffd3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=60, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:10:57.107, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654992000_92983', total_run_time=297.82, event_count=2696, result_count=2695, available_count=0, scan_count=1757318, drop_count=0, exec_time=1654992289, api_et=1654905600.000000000, api_lt=1654992000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654992000.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_d9793d70b4fea024", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30400, eliminated_buckets=4805, considered_events=1757318, total_slices=14051924, decompressed_slices=1089806, duration.command.search.index=1199567, invocations.command.search.index.bucketcache.hit=27825, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=2628, duration.command.search.index.bucketcache.miss=551557, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=253848, invocations.command.search.rawdata.bucketcache.hit=20774, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=901, duration.command.search.rawdata.bucketcache.miss=406397, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-12-2022 00:10:57.048, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992480_93051', total_run_time=29.54, event_count=0, result_count=0, available_count=0, scan_count=18767873, drop_count=0, exec_time=1654992529, api_et=1654978080.000000000, api_lt=1654992480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978080.000000000, search_lt=1654992480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2587", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18767873, total_slices=1457165, decompressed_slices=355492, duration.command.search.index=7529, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57301, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10528222, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:10:56.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992540_93067', total_run_time=33.26, event_count=0, result_count=0, available_count=0, scan_count=18765906, drop_count=0, exec_time=1654992589, api_et=1654978140.000000000, api_lt=1654992540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978140.000000000, search_lt=1654992540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2937", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=18765906, total_slices=1431870, decompressed_slices=355480, duration.command.search.index=7540, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60073, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10526486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:10:56.841, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654992420_93029', total_run_time=14.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654992446, api_et=1654988820.000000000, api_lt=1654992420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654988820.000000000, search_lt=1654992448.840470000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2902", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c64ed5ff491fc73e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1182, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:10:56.410, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992360_93013', total_run_time=66.47, event_count=0, result_count=0, available_count=0, scan_count=18769492, drop_count=0, exec_time=1654992410, api_et=1654977960.000000000, api_lt=1654992360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654977960.000000000, search_lt=1654992360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18769492, total_slices=1454093, decompressed_slices=355498, duration.command.search.index=8757, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79798, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10531663, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:10:55.593, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654992540_93059', total_run_time=18.53, event_count=0, result_count=0, available_count=0, scan_count=3720701, drop_count=0, exec_time=1654992545, api_et=1654988340.000000000, api_lt=1654991940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654988340.000000000, search_lt=1654991940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3012", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_711fc849298a572c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=787, eliminated_buckets=361, considered_events=3720701, total_slices=1225576, decompressed_slices=167530, duration.command.search.index=1750, invocations.command.search.index.bucketcache.hit=786, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29148, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=88, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-12-2022 00:10:55.581, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654992420_93036', total_run_time=36.75, event_count=1182, result_count=60, available_count=0, scan_count=314710, drop_count=0, exec_time=1654992480, api_et=1654988820.000000000, api_lt=1654992420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654988820.000000000, search_lt=1654992482.281605000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2927", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=322334, total_slices=574172, decompressed_slices=83918, duration.command.search.index=4013, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28013, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=259312, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27887, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-12-2022 00:06:39.315, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992240_92981', total_run_time=81.67, event_count=0, result_count=0, available_count=0, scan_count=18771254, drop_count=0, exec_time=1654992289, api_et=1654977840.000000000, api_lt=1654992240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654977840.000000000, search_lt=1654992240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18771254, total_slices=1450785, decompressed_slices=355488, duration.command.search.index=14334, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=121793, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10532310, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:06:10.857, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992120_92888', total_run_time=79.89, event_count=0, result_count=0, available_count=0, scan_count=18785310, drop_count=0, exec_time=1654992170, api_et=1654977720.000000000, api_lt=1654992120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654977720.000000000, search_lt=1654992120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=2, considered_events=18785310, total_slices=1447712, decompressed_slices=355768, duration.command.search.index=15569, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126120, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10546950, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:02:07.384, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654992000_92820', total_run_time=62.96, event_count=0, result_count=0, available_count=0, scan_count=18791288, drop_count=0, exec_time=1654992049, api_et=1654977600.000000000, api_lt=1654992000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654977600.000000000, search_lt=1654992000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2560", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=18791288, total_slices=1471329, decompressed_slices=355891, duration.command.search.index=15771, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=136182, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10553296, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-12-2022 00:01:37.784, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654992000_92817', total_run_time=63.07, event_count=0, result_count=102, available_count=0, scan_count=0, drop_count=0, exec_time=1654992032, api_et=1654990200.000000000, api_lt=1654992000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654990200.000000000, search_lt=1654992000.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63800", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-11-2022 23:44:20.010, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654990980_92528', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=4216, drop_count=0, exec_time=1654991018, api_et=1654987380.000000000, api_lt=1654990980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654987380.000000000, search_lt=1654991020.539894000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2878", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1eefaad528cffb2e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=4216, total_slices=965728, decompressed_slices=1074, duration.command.search.index=1009, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4767, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 23:37:17.485, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654990380_92320', total_run_time=37.30, event_count=0, result_count=0, available_count=0, scan_count=41105366, drop_count=0, exec_time=1654990405, api_et=1654986780.000000000, api_lt=1654990380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654986780.000000000, search_lt=1654990407.242007000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3932", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72cb9fdee1232af4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1880, eliminated_buckets=134, considered_events=41105366, total_slices=14162257, decompressed_slices=4169339, duration.command.search.index=15695, invocations.command.search.index.bucketcache.hit=1879, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223911, invocations.command.search.rawdata.bucketcache.hit=280, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 23:16:46.632, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654989360_91979', total_run_time=7.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654989370, api_et=1654985160.000000000, api_lt=1654988760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654985760.000000000, search_lt=1654989372.643294000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3128", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c14792d1b562933a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1018, eliminated_buckets=337, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=620, invocations.command.search.index.bucketcache.hit=1018, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 23:14:46.637, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654989240_91938', total_run_time=4.69, event_count=0, result_count=0, available_count=0, scan_count=12020, drop_count=0, exec_time=1654989263, api_et=1654985640.000000000, api_lt=1654989240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654985640.000000000, search_lt=1654989265.305210000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=284, considered_events=12022, total_slices=447290, decompressed_slices=1955, duration.command.search.index=883, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5314, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=29, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=49, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=131, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=30, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=43, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 23:11:16.658, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654989060_91872', total_run_time=4.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654989063, api_et=1654985460.000000000, api_lt=1654989060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654985460.000000000, search_lt=1654989065.434724000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dc6b46e088653f9e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 23:09:46.703, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654988940_91841', total_run_time=20.28, event_count=0, result_count=0, available_count=0, scan_count=3722516, drop_count=0, exec_time=1654988945, api_et=1654984740.000000000, api_lt=1654988340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654984740.000000000, search_lt=1654988340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3068", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4dcd1e9d725aa3a1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=785, eliminated_buckets=361, considered_events=3722516, total_slices=1170704, decompressed_slices=172913, duration.command.search.index=1585, invocations.command.search.index.bucketcache.hit=783, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28731, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=89, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 23:08:53.528, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654988820_91822', total_run_time=19.92, event_count=1150, result_count=54, available_count=0, scan_count=314570, drop_count=0, exec_time=1654988880, api_et=1654985220.000000000, api_lt=1654988820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654985220.000000000, search_lt=1654988882.165287000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=321376, total_slices=645458, decompressed_slices=82054, duration.command.search.index=2917, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24101, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=260846, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27634, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 23:07:46.477, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654988820_91817', total_run_time=4.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654988846, api_et=1654985220.000000000, api_lt=1654988820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654985220.000000000, search_lt=1654988848.441839000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5492664b1c36819a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=678, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:44:01.227, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654987380_91350', total_run_time=21.90, event_count=0, result_count=0, available_count=0, scan_count=2944, drop_count=0, exec_time=1654987418, api_et=1654983780.000000000, api_lt=1654987380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654983780.000000000, search_lt=1654987420.509555000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3010", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_404124183e24a3c2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=2944, total_slices=902215, decompressed_slices=803, duration.command.search.index=1062, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4963, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:34:06.117, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654986780_91139', total_run_time=37.94, event_count=0, result_count=0, available_count=0, scan_count=41200034, drop_count=0, exec_time=1654986805, api_et=1654983180.000000000, api_lt=1654986780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654983180.000000000, search_lt=1654986807.619068000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a117acefc111c673", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1898, eliminated_buckets=134, considered_events=41200034, total_slices=14264655, decompressed_slices=4179090, duration.command.search.index=14265, invocations.command.search.index.bucketcache.hit=1898, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227272, invocations.command.search.rawdata.bucketcache.hit=297, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:16:36.447, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654985760_90788', total_run_time=8.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654985771, api_et=1654981560.000000000, api_lt=1654985160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654982160.000000000, search_lt=1654985772.833409000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3182", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8fcb0b5eed83f30c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1015, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=623, invocations.command.search.index.bucketcache.hit=1015, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:14:36.526, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654985640_90748', total_run_time=4.80, event_count=0, result_count=0, available_count=0, scan_count=11402, drop_count=0, exec_time=1654985663, api_et=1654982040.000000000, api_lt=1654985640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654982040.000000000, search_lt=1654985665.577692000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=284, considered_events=11402, total_slices=416408, decompressed_slices=1824, duration.command.search.index=784, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5528, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=27, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=46, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=125, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=29, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 22:11:24.566, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654985460_90681', total_run_time=5.26, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654985464, api_et=1654981860.000000000, api_lt=1654985460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981860.000000000, search_lt=1654985467.147309000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3193", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7c3d1bff7ee4681f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:09:54.183, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654985340_90650', total_run_time=20.31, event_count=0, result_count=0, available_count=0, scan_count=3768742, drop_count=0, exec_time=1654985345, api_et=1654981140.000000000, api_lt=1654984740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981140.000000000, search_lt=1654984740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3093", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3d0466977662358", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=792, eliminated_buckets=369, considered_events=3768742, total_slices=1138063, decompressed_slices=174969, duration.command.search.index=1570, invocations.command.search.index.bucketcache.hit=792, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28123, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=91, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 22:08:43.061, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654985220_90630', total_run_time=22.32, event_count=1143, result_count=55, available_count=0, scan_count=319921, drop_count=0, exec_time=1654985280, api_et=1654981620.000000000, api_lt=1654985220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981620.000000000, search_lt=1654985281.985827000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2465", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=202, considered_events=326224, total_slices=687917, decompressed_slices=87557, duration.command.search.index=2961, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24252, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=266732, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 22:08:42.848, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654985220_90625', total_run_time=5.99, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654985246, api_et=1654981620.000000000, api_lt=1654985220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654981620.000000000, search_lt=1654985248.575188000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d87941643f041f65", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=768, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:44:19.871, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654983780_90158', total_run_time=21.23, event_count=0, result_count=0, available_count=0, scan_count=3510, drop_count=0, exec_time=1654983818, api_et=1654980180.000000000, api_lt=1654983780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654980180.000000000, search_lt=1654983820.409071000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_408580203166c311", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3510, total_slices=1034094, decompressed_slices=1019, duration.command.search.index=1050, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5071, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:34:24.912, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654983180_89951', total_run_time=35.52, event_count=0, result_count=0, available_count=0, scan_count=41397468, drop_count=0, exec_time=1654983205, api_et=1654979580.000000000, api_lt=1654983180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654979580.000000000, search_lt=1654983207.501478000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6b3af46140892604", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1914, eliminated_buckets=134, considered_events=41397468, total_slices=14638921, decompressed_slices=4212671, duration.command.search.index=14295, invocations.command.search.index.bucketcache.hit=1913, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227381, invocations.command.search.rawdata.bucketcache.hit=311, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:16:48.479, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654982160_89608', total_run_time=8.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654982170, api_et=1654977960.000000000, api_lt=1654981560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978560.000000000, search_lt=1654982172.428077000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3183", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7f86c7163fa1491f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1017, eliminated_buckets=338, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=644, invocations.command.search.index.bucketcache.hit=1017, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:14:48.525, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654982040_89568', total_run_time=4.18, event_count=0, result_count=0, available_count=0, scan_count=12263, drop_count=0, exec_time=1654982063, api_et=1654978440.000000000, api_lt=1654982040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978440.000000000, search_lt=1654982065.304030000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=283, considered_events=12263, total_slices=394786, decompressed_slices=2004, duration.command.search.index=928, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5472, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=53, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=144, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=201, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 21:11:18.669, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654981860_89502', total_run_time=5.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654981865, api_et=1654978260.000000000, api_lt=1654981860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978260.000000000, search_lt=1654981867.678987000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3203", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_422c53ebb02e24a7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:09:48.566, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654981740_89466', total_run_time=18.31, event_count=0, result_count=0, available_count=0, scan_count=3711382, drop_count=0, exec_time=1654981745, api_et=1654977540.000000000, api_lt=1654981140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654977540.000000000, search_lt=1654981140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3000", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_97739c23c300c410", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=776, eliminated_buckets=354, considered_events=3711382, total_slices=1111155, decompressed_slices=169211, duration.command.search.index=1837, invocations.command.search.index.bucketcache.hit=776, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28606, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=83, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:08:48.661, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654981620_89447', total_run_time=22.03, event_count=1177, result_count=55, available_count=0, scan_count=329595, drop_count=0, exec_time=1654981680, api_et=1654978020.000000000, api_lt=1654981620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978020.000000000, search_lt=1654981682.248408000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=333954, total_slices=646943, decompressed_slices=88700, duration.command.search.index=2963, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24261, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=19, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=275426, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27192, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 21:07:48.469, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654981620_89442', total_run_time=4.56, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654981646, api_et=1654978020.000000000, api_lt=1654981620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654978020.000000000, search_lt=1654981648.421194000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4d9134fbfe4089b9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=2, total_slices=20050, decompressed_slices=2, duration.command.search.index=630, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=271, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 21:00:18.472, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654981140_89250', total_run_time=12.74, event_count=0, result_count=0, available_count=0, scan_count=18812167, drop_count=0, exec_time=1654981190, api_et=1654966740.000000000, api_lt=1654981140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966740.000000000, search_lt=1654981140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18812167, total_slices=1526074, decompressed_slices=358628, duration.command.search.index=6498, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52570, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10655325, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:59:18.561, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654981080_89237', total_run_time=12.16, event_count=0, result_count=0, available_count=0, scan_count=18813048, drop_count=0, exec_time=1654981129, api_et=1654966680.000000000, api_lt=1654981080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966680.000000000, search_lt=1654981080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3134", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18813048, total_slices=1524475, decompressed_slices=358652, duration.command.search.index=6598, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52787, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10655476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:58:18.639, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654981020_89221', total_run_time=12.53, event_count=0, result_count=0, available_count=0, scan_count=18813242, drop_count=0, exec_time=1654981069, api_et=1654966620.000000000, api_lt=1654981020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966620.000000000, search_lt=1654981020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18813242, total_slices=1522813, decompressed_slices=358685, duration.command.search.index=6930, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52863, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657640, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:57:18.459, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980960_89204', total_run_time=11.87, event_count=0, result_count=0, available_count=0, scan_count=18814219, drop_count=0, exec_time=1654981010, api_et=1654966560.000000000, api_lt=1654980960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966560.000000000, search_lt=1654980960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18814219, total_slices=1521278, decompressed_slices=358740, duration.command.search.index=6701, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50923, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658864, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:56:18.478, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980900_89193', total_run_time=12.16, event_count=0, result_count=0, available_count=0, scan_count=18818504, drop_count=0, exec_time=1654980949, api_et=1654966500.000000000, api_lt=1654980900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966500.000000000, search_lt=1654980900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818504, total_slices=1519714, decompressed_slices=358772, duration.command.search.index=6774, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49587, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660590, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:55:18.758, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980840_89178', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=18818849, drop_count=0, exec_time=1654980889, api_et=1654966440.000000000, api_lt=1654980840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966440.000000000, search_lt=1654980840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18818849, total_slices=1517887, decompressed_slices=358785, duration.command.search.index=6898, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49232, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:54:19.949, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980780_89161', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=18818689, drop_count=0, exec_time=1654980829, api_et=1654966380.000000000, api_lt=1654980780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966380.000000000, search_lt=1654980780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3090", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18818689, total_slices=1516499, decompressed_slices=358726, duration.command.search.index=6851, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48332, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:54:19.011, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980720_89137', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=18817177, drop_count=0, exec_time=1654980769, api_et=1654966320.000000000, api_lt=1654980720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966320.000000000, search_lt=1654980720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2559", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817177, total_slices=1514845, decompressed_slices=358760, duration.command.search.index=7058, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51755, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10661358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:52:27.373, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980660_89120', total_run_time=12.85, event_count=0, result_count=0, available_count=0, scan_count=18817796, drop_count=0, exec_time=1654980709, api_et=1654966260.000000000, api_lt=1654980660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966260.000000000, search_lt=1654980660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817796, total_slices=1513376, decompressed_slices=358852, duration.command.search.index=7095, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52159, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10661582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:51:13.480, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980600_89096', total_run_time=14.80, event_count=0, result_count=0, available_count=0, scan_count=18817001, drop_count=0, exec_time=1654980649, api_et=1654966200.000000000, api_lt=1654980600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966200.000000000, search_lt=1654980600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817001, total_slices=1511611, decompressed_slices=358846, duration.command.search.index=7174, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52951, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659350, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:50:46.399, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980540_89073', total_run_time=12.06, event_count=0, result_count=0, available_count=0, scan_count=18816322, drop_count=0, exec_time=1654980589, api_et=1654966140.000000000, api_lt=1654980540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966140.000000000, search_lt=1654980540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2589", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18816322, total_slices=1510140, decompressed_slices=358914, duration.command.search.index=6990, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50687, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658887, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:50:44.569, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980480_89052', total_run_time=13.07, event_count=0, result_count=0, available_count=0, scan_count=18818220, drop_count=0, exec_time=1654980529, api_et=1654966080.000000000, api_lt=1654980480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966080.000000000, search_lt=1654980480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818220, total_slices=1508517, decompressed_slices=358917, duration.command.search.index=7449, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53936, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658953, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:50:43.796, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980420_89035', total_run_time=11.73, event_count=0, result_count=0, available_count=0, scan_count=18817296, drop_count=0, exec_time=1654980469, api_et=1654966020.000000000, api_lt=1654980420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966020.000000000, search_lt=1654980420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2588", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817296, total_slices=1506905, decompressed_slices=358994, duration.command.search.index=7165, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51247, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658634, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:47:06.135, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980360_89014', total_run_time=12.15, event_count=0, result_count=0, available_count=0, scan_count=18816609, drop_count=0, exec_time=1654980409, api_et=1654965960.000000000, api_lt=1654980360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965960.000000000, search_lt=1654980360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2543", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18816609, total_slices=1505372, decompressed_slices=358976, duration.command.search.index=6830, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51139, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658150, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:46:06.222, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980300_88996', total_run_time=12.35, event_count=0, result_count=0, available_count=0, scan_count=18818771, drop_count=0, exec_time=1654980349, api_et=1654965900.000000000, api_lt=1654980300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965900.000000000, search_lt=1654980300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2315", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818771, total_slices=1503890, decompressed_slices=359053, duration.command.search.index=6807, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51944, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659578, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:45:06.423, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980240_88974', total_run_time=11.84, event_count=0, result_count=0, available_count=0, scan_count=18820320, drop_count=0, exec_time=1654980289, api_et=1654965840.000000000, api_lt=1654980240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965840.000000000, search_lt=1654980240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820320, total_slices=1502253, decompressed_slices=359001, duration.command.search.index=6785, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50718, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658610, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:44:06.206, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980180_88953', total_run_time=13.09, event_count=0, result_count=0, available_count=0, scan_count=18820166, drop_count=0, exec_time=1654980229, api_et=1654965780.000000000, api_lt=1654980180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965780.000000000, search_lt=1654980180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2994", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820166, total_slices=1500644, decompressed_slices=358936, duration.command.search.index=6927, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53529, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:44:06.174, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654980180_88950', total_run_time=21.04, event_count=0, result_count=0, available_count=0, scan_count=3071, drop_count=0, exec_time=1654980218, api_et=1654976580.000000000, api_lt=1654980180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654976580.000000000, search_lt=1654980220.171300000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_56501616be3636ac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=3071, total_slices=947919, decompressed_slices=845, duration.command.search.index=1079, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4904, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:43:14.223, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980120_88925', total_run_time=13.13, event_count=0, result_count=0, available_count=0, scan_count=18817098, drop_count=0, exec_time=1654980169, api_et=1654965720.000000000, api_lt=1654980120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965720.000000000, search_lt=1654980120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817098, total_slices=1499016, decompressed_slices=358914, duration.command.search.index=7254, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52905, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657801, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:42:06.336, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980060_88901', total_run_time=13.67, event_count=0, result_count=0, available_count=0, scan_count=18820571, drop_count=0, exec_time=1654980109, api_et=1654965660.000000000, api_lt=1654980060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965660.000000000, search_lt=1654980060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820571, total_slices=1497450, decompressed_slices=358945, duration.command.search.index=7923, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55125, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:41:06.283, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654980000_88876', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=18820902, drop_count=0, exec_time=1654980049, api_et=1654965600.000000000, api_lt=1654980000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965600.000000000, search_lt=1654980000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820902, total_slices=1495926, decompressed_slices=358917, duration.command.search.index=7171, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52668, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657245, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:40:26.184, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979940_88855', total_run_time=11.44, event_count=0, result_count=0, available_count=0, scan_count=18819286, drop_count=0, exec_time=1654979989, api_et=1654965540.000000000, api_lt=1654979940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965540.000000000, search_lt=1654979940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2587", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18819286, total_slices=1494308, decompressed_slices=358923, duration.command.search.index=6819, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50231, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656836, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:40:24.954, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979820_88824', total_run_time=11.39, event_count=0, result_count=0, available_count=0, scan_count=18818980, drop_count=0, exec_time=1654979870, api_et=1654965420.000000000, api_lt=1654979820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965420.000000000, search_lt=1654979820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818980, total_slices=1490931, decompressed_slices=358821, duration.command.search.index=6785, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51047, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657425, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:40:24.566, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979880_88839', total_run_time=11.23, event_count=0, result_count=0, available_count=0, scan_count=18820252, drop_count=0, exec_time=1654979929, api_et=1654965480.000000000, api_lt=1654979880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965480.000000000, search_lt=1654979880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820252, total_slices=1492600, decompressed_slices=358874, duration.command.search.index=6714, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48902, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:37:30.275, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979760_88809', total_run_time=11.92, event_count=0, result_count=0, available_count=0, scan_count=18820116, drop_count=0, exec_time=1654979810, api_et=1654965360.000000000, api_lt=1654979760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965360.000000000, search_lt=1654979760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820116, total_slices=1489343, decompressed_slices=358848, duration.command.search.index=6835, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50901, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657164, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:36:30.714, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979700_88799', total_run_time=11.45, event_count=0, result_count=0, available_count=0, scan_count=18820111, drop_count=0, exec_time=1654979749, api_et=1654965300.000000000, api_lt=1654979700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965300.000000000, search_lt=1654979700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2585", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18820111, total_slices=1487668, decompressed_slices=358791, duration.command.search.index=6934, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51719, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656746, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:35:30.413, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979640_88778', total_run_time=12.10, event_count=0, result_count=0, available_count=0, scan_count=18819421, drop_count=0, exec_time=1654979689, api_et=1654965240.000000000, api_lt=1654979640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965240.000000000, search_lt=1654979640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18819421, total_slices=1486131, decompressed_slices=358775, duration.command.search.index=7019, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51340, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657161, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:34:30.415, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979580_88742', total_run_time=15.38, event_count=0, result_count=0, available_count=0, scan_count=18819830, drop_count=0, exec_time=1654979629, api_et=1654965180.000000000, api_lt=1654979580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965180.000000000, search_lt=1654979580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2543", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18819830, total_slices=1484462, decompressed_slices=358809, duration.command.search.index=8138, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57670, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657395, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:34:30.257, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654979580_88730', total_run_time=46.58, event_count=0, result_count=0, available_count=0, scan_count=41317628, drop_count=0, exec_time=1654979606, api_et=1654975980.000000000, api_lt=1654979580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654975980.000000000, search_lt=1654979608.235822000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4057", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e39881c45c3dea06", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1894, eliminated_buckets=134, considered_events=41317628, total_slices=14479269, decompressed_slices=4225085, duration.command.search.index=14776, invocations.command.search.index.bucketcache.hit=1894, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238316, invocations.command.search.rawdata.bucketcache.hit=291, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:33:24.577, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979520_88705', total_run_time=14.76, event_count=0, result_count=0, available_count=0, scan_count=18817615, drop_count=0, exec_time=1654979569, api_et=1654965120.000000000, api_lt=1654979520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965120.000000000, search_lt=1654979520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18817615, total_slices=1482793, decompressed_slices=358787, duration.command.search.index=7618, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54908, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657068, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:32:30.434, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979460_88676', total_run_time=15.12, event_count=0, result_count=0, available_count=0, scan_count=18815760, drop_count=0, exec_time=1654979509, api_et=1654965060.000000000, api_lt=1654979460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965060.000000000, search_lt=1654979460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3266", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18815760, total_slices=1481266, decompressed_slices=358883, duration.command.search.index=7853, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56540, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656298, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:31:31.283, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979400_88648', total_run_time=18.64, event_count=0, result_count=0, available_count=0, scan_count=18816273, drop_count=0, exec_time=1654979449, api_et=1654965000.000000000, api_lt=1654979400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965000.000000000, search_lt=1654979400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2258", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18816273, total_slices=1479697, decompressed_slices=358908, duration.command.search.index=9406, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71350, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656096, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:30:30.274, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979340_88619', total_run_time=11.78, event_count=0, result_count=0, available_count=0, scan_count=18818877, drop_count=0, exec_time=1654979389, api_et=1654964940.000000000, api_lt=1654979340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964940.000000000, search_lt=1654979340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818877, total_slices=1477999, decompressed_slices=358923, duration.command.search.index=6672, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53877, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658584, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:29:31.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979220_88591', total_run_time=11.54, event_count=0, result_count=0, available_count=0, scan_count=18818387, drop_count=0, exec_time=1654979269, api_et=1654964820.000000000, api_lt=1654979220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964820.000000000, search_lt=1654979220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2555", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818387, total_slices=1474593, decompressed_slices=358928, duration.command.search.index=6857, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53224, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:29:31.158, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979280_88606', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=18819362, drop_count=0, exec_time=1654979329, api_et=1654964880.000000000, api_lt=1654979280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964880.000000000, search_lt=1654979280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2537", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18819362, total_slices=1476374, decompressed_slices=358926, duration.command.search.index=7795, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56448, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:27:06.403, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979160_88573', total_run_time=11.41, event_count=0, result_count=0, available_count=0, scan_count=18818690, drop_count=0, exec_time=1654979209, api_et=1654964760.000000000, api_lt=1654979160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964760.000000000, search_lt=1654979160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2494", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18818690, total_slices=1473036, decompressed_slices=358898, duration.command.search.index=6809, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53427, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660374, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:26:06.288, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979100_88557', total_run_time=12.24, event_count=0, result_count=0, available_count=0, scan_count=18824745, drop_count=0, exec_time=1654979149, api_et=1654964700.000000000, api_lt=1654979100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964700.000000000, search_lt=1654979100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18824745, total_slices=1471513, decompressed_slices=358955, duration.command.search.index=7019, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51845, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10661172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:25:09.907, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978980_88525', total_run_time=11.76, event_count=0, result_count=0, available_count=0, scan_count=18829499, drop_count=0, exec_time=1654979029, api_et=1654964580.000000000, api_lt=1654978980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964580.000000000, search_lt=1654978980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=18829499, total_slices=1495028, decompressed_slices=358979, duration.command.search.index=7082, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48547, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10661603, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:25:09.317, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978920_88492', total_run_time=12.98, event_count=0, result_count=0, available_count=0, scan_count=18831664, drop_count=0, exec_time=1654978969, api_et=1654964520.000000000, api_lt=1654978920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964520.000000000, search_lt=1654978920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=18831664, total_slices=1493443, decompressed_slices=359004, duration.command.search.index=7186, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51965, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660444, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:25:09.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654979040_88544', total_run_time=12.58, event_count=0, result_count=0, available_count=0, scan_count=18828774, drop_count=0, exec_time=1654979090, api_et=1654964640.000000000, api_lt=1654979040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964640.000000000, search_lt=1654979040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18828774, total_slices=1469897, decompressed_slices=358944, duration.command.search.index=7306, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49699, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10662718, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:22:02.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978860_88476', total_run_time=11.31, event_count=0, result_count=0, available_count=0, scan_count=18833211, drop_count=0, exec_time=1654978909, api_et=1654964460.000000000, api_lt=1654978860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964460.000000000, search_lt=1654978860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18833211, total_slices=1518611, decompressed_slices=359039, duration.command.search.index=7229, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49556, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659960, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:21:34.898, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978800_88448', total_run_time=13.02, event_count=0, result_count=0, available_count=0, scan_count=18832990, drop_count=0, exec_time=1654978849, api_et=1654964400.000000000, api_lt=1654978800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964400.000000000, search_lt=1654978800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=18832990, total_slices=1517011, decompressed_slices=359060, duration.command.search.index=7756, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53893, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659097, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:21:34.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978620_88378', total_run_time=12.02, event_count=0, result_count=0, available_count=0, scan_count=18831182, drop_count=0, exec_time=1654978669, api_et=1654964220.000000000, api_lt=1654978620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964220.000000000, search_lt=1654978620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=18831182, total_slices=1512029, decompressed_slices=359046, duration.command.search.index=6957, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52263, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656844, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:21:34.199, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978740_88425', total_run_time=11.52, event_count=0, result_count=0, available_count=0, scan_count=18832426, drop_count=0, exec_time=1654978789, api_et=1654964340.000000000, api_lt=1654978740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964340.000000000, search_lt=1654978740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=18832426, total_slices=1515465, decompressed_slices=359042, duration.command.search.index=7289, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48149, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:21:33.537, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978680_88399', total_run_time=13.18, event_count=0, result_count=0, available_count=0, scan_count=18833903, drop_count=0, exec_time=1654978729, api_et=1654964280.000000000, api_lt=1654978680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964280.000000000, search_lt=1654978680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=18833903, total_slices=1513762, decompressed_slices=359029, duration.command.search.index=7538, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55222, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659332, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:17:23.047, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978560_88355', total_run_time=11.61, event_count=0, result_count=0, available_count=0, scan_count=18830734, drop_count=0, exec_time=1654978610, api_et=1654964160.000000000, api_lt=1654978560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964160.000000000, search_lt=1654978560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2582", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=18830734, total_slices=1510499, decompressed_slices=359004, duration.command.search.index=6886, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51032, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656282, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:16:22.798, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978500_88338', total_run_time=11.72, event_count=0, result_count=0, available_count=0, scan_count=18830891, drop_count=0, exec_time=1654978549, api_et=1654964100.000000000, api_lt=1654978500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964100.000000000, search_lt=1654978500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2305", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=18830891, total_slices=1508873, decompressed_slices=359017, duration.command.search.index=6985, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50526, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10655716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:16:22.698, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654978560_88349', total_run_time=7.82, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654978571, api_et=1654974360.000000000, api_lt=1654977960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654974960.000000000, search_lt=1654978573.281101000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0e703170a5bcfd0f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1020, eliminated_buckets=340, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=649, invocations.command.search.index.bucketcache.hit=1020, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:15:22.867, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978440_88319', total_run_time=11.69, event_count=0, result_count=0, available_count=0, scan_count=18833521, drop_count=0, exec_time=1654978489, api_et=1654964040.000000000, api_lt=1654978440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964040.000000000, search_lt=1654978440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=18833521, total_slices=1507272, decompressed_slices=359008, duration.command.search.index=6768, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52821, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10656330, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:14:52.827, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654978440_88305', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=13979, drop_count=0, exec_time=1654978463, api_et=1654974840.000000000, api_lt=1654978440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654974840.000000000, search_lt=1654978465.239376000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=282, considered_events=14426, total_slices=385406, decompressed_slices=2338, duration.command.search.index=979, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5925, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=60, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=186, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 20:14:22.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978380_88295', total_run_time=11.17, event_count=0, result_count=0, available_count=0, scan_count=18832824, drop_count=0, exec_time=1654978429, api_et=1654963980.000000000, api_lt=1654978380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963980.000000000, search_lt=1654978380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=18832824, total_slices=1505726, decompressed_slices=359002, duration.command.search.index=6788, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50456, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10655679, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:13:22.693, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978320_88268', total_run_time=11.37, event_count=0, result_count=0, available_count=0, scan_count=18829206, drop_count=0, exec_time=1654978369, api_et=1654963920.000000000, api_lt=1654978320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963920.000000000, search_lt=1654978320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18829206, total_slices=1504041, decompressed_slices=359055, duration.command.search.index=6928, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49910, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10653978, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:12:22.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978260_88250', total_run_time=11.92, event_count=0, result_count=0, available_count=0, scan_count=18828529, drop_count=0, exec_time=1654978309, api_et=1654963860.000000000, api_lt=1654978260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963860.000000000, search_lt=1654978260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18828529, total_slices=1502461, decompressed_slices=359069, duration.command.search.index=6754, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52276, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10654414, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:11:22.545, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654978260_88232', total_run_time=5.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654978265, api_et=1654974660.000000000, api_lt=1654978260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654974660.000000000, search_lt=1654978267.288911000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3020", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0f04ed3c2bbae68d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:11:22.507, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978200_88223', total_run_time=12.44, event_count=0, result_count=0, available_count=0, scan_count=18827752, drop_count=0, exec_time=1654978249, api_et=1654963800.000000000, api_lt=1654978200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963800.000000000, search_lt=1654978200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3082", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18827752, total_slices=1500925, decompressed_slices=359136, duration.command.search.index=7013, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52218, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10653640, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:10:13.600, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978140_88206', total_run_time=11.79, event_count=0, result_count=0, available_count=0, scan_count=18826100, drop_count=0, exec_time=1654978189, api_et=1654963740.000000000, api_lt=1654978140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963740.000000000, search_lt=1654978140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2572", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18826100, total_slices=1499385, decompressed_slices=359181, duration.command.search.index=6806, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51949, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10652376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:09:55.510, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654978140_88198', total_run_time=22.70, event_count=0, result_count=0, available_count=0, scan_count=3713917, drop_count=0, exec_time=1654978145, api_et=1654973940.000000000, api_lt=1654977540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654973940.000000000, search_lt=1654977540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cf62b0c7ba30703c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=780, eliminated_buckets=354, considered_events=3713917, total_slices=1086550, decompressed_slices=170771, duration.command.search.index=1701, invocations.command.search.index.bucketcache.hit=778, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28144, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=85, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:09:55.440, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654978020_88182', total_run_time=21.17, event_count=1127, result_count=56, available_count=0, scan_count=308015, drop_count=0, exec_time=1654978084, api_et=1654974420.000000000, api_lt=1654978020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654974420.000000000, search_lt=1654978086.193527000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=200, considered_events=313682, total_slices=571794, decompressed_slices=87556, duration.command.search.index=2734, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24319, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=251852, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26635, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 20:09:55.172, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978080_88190', total_run_time=11.82, event_count=0, result_count=0, available_count=0, scan_count=18828932, drop_count=0, exec_time=1654978129, api_et=1654963680.000000000, api_lt=1654978080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963680.000000000, search_lt=1654978080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18828932, total_slices=1497758, decompressed_slices=359237, duration.command.search.index=7044, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47989, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10653337, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:09:54.847, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654978020_88173', total_run_time=11.74, event_count=0, result_count=0, available_count=0, scan_count=18828128, drop_count=0, exec_time=1654978069, api_et=1654963620.000000000, api_lt=1654978020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963620.000000000, search_lt=1654978020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2670", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18828128, total_slices=1496102, decompressed_slices=359268, duration.command.search.index=7134, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51502, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10653458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:09:54.819, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654978020_88168', total_run_time=6.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654978046, api_et=1654974420.000000000, api_lt=1654978020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654974420.000000000, search_lt=1654978048.403412000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2704", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d393c299574fd2aa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=763, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 20:07:29.528, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977960_88153', total_run_time=11.59, event_count=0, result_count=0, available_count=0, scan_count=18827790, drop_count=0, exec_time=1654978009, api_et=1654963560.000000000, api_lt=1654977960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963560.000000000, search_lt=1654977960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18827790, total_slices=1494549, decompressed_slices=359269, duration.command.search.index=7040, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51908, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10652715, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:06:16.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977900_88139', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=18829969, drop_count=0, exec_time=1654977949, api_et=1654963500.000000000, api_lt=1654977900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963500.000000000, search_lt=1654977900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3099", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=18829969, total_slices=1492959, decompressed_slices=359296, duration.command.search.index=7219, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51947, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10652275, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:05:52.343, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977840_88122', total_run_time=13.15, event_count=0, result_count=0, available_count=0, scan_count=18829243, drop_count=0, exec_time=1654977890, api_et=1654963440.000000000, api_lt=1654977840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963440.000000000, search_lt=1654977840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18829243, total_slices=1491384, decompressed_slices=359244, duration.command.search.index=7698, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50457, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10651043, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:05:50.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977780_88081', total_run_time=15.74, event_count=0, result_count=0, available_count=0, scan_count=18825775, drop_count=0, exec_time=1654977829, api_et=1654963380.000000000, api_lt=1654977780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963380.000000000, search_lt=1654977780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18825775, total_slices=1489670, decompressed_slices=359172, duration.command.search.index=8747, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64674, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10648817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:05:49.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977720_88035', total_run_time=16.17, event_count=0, result_count=0, available_count=0, scan_count=18824346, drop_count=0, exec_time=1654977770, api_et=1654963320.000000000, api_lt=1654977720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963320.000000000, search_lt=1654977720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18824346, total_slices=1487997, decompressed_slices=359156, duration.command.search.index=8471, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67639, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10647230, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:02:29.888, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977660_88005', total_run_time=16.61, event_count=0, result_count=0, available_count=0, scan_count=18823592, drop_count=0, exec_time=1654977709, api_et=1654963260.000000000, api_lt=1654977660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963260.000000000, search_lt=1654977660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18823592, total_slices=1486253, decompressed_slices=359084, duration.command.search.index=10003, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70718, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10644441, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 20:01:30.316, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654977600_87975', total_run_time=16.61, event_count=0, result_count=0, available_count=0, scan_count=18822797, drop_count=0, exec_time=1654977649, api_et=1654963200.000000000, api_lt=1654977600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963200.000000000, search_lt=1654977600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2355", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18822797, total_slices=1484483, decompressed_slices=359075, duration.command.search.index=8346, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67601, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10641247, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 19:44:05.900, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654976580_87688', total_run_time=21.78, event_count=0, result_count=0, available_count=0, scan_count=3110, drop_count=0, exec_time=1654976618, api_et=1654972980.000000000, api_lt=1654976580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654972980.000000000, search_lt=1654976620.685651000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2d493240c769af15", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3110, total_slices=959532, decompressed_slices=919, duration.command.search.index=1049, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4854, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 19:36:28.400, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654975980_87482', total_run_time=73.85, event_count=0, result_count=0, available_count=0, scan_count=41271127, drop_count=0, exec_time=1654976005, api_et=1654972380.000000000, api_lt=1654975980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654972380.000000000, search_lt=1654976007.662243000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a48825bfdc8e66a4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1902, eliminated_buckets=134, considered_events=41271127, total_slices=14549376, decompressed_slices=4222696, duration.command.search.index=15311, invocations.command.search.index.bucketcache.hit=1901, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=253724, invocations.command.search.rawdata.bucketcache.hit=298, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 19:16:44.557, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654974960_87143', total_run_time=7.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654974970, api_et=1654970760.000000000, api_lt=1654974360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654971360.000000000, search_lt=1654974972.589015000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3218", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b0f5a4eb4fc0df81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1019, eliminated_buckets=341, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=630, invocations.command.search.index.bucketcache.hit=1019, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 19:14:44.679, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654974840_87103', total_run_time=4.33, event_count=0, result_count=0, available_count=0, scan_count=13333, drop_count=0, exec_time=1654974863, api_et=1654971240.000000000, api_lt=1654974840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654971240.000000000, search_lt=1654974865.300742000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=289, considered_events=13333, total_slices=427014, decompressed_slices=2061, duration.command.search.index=938, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5395, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=163, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 19:11:14.740, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654974660_87037', total_run_time=4.72, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654974664, api_et=1654971060.000000000, api_lt=1654974660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654971060.000000000, search_lt=1654974666.203484000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e21e46949796d39f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 19:09:44.772, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654974540_87006', total_run_time=19.23, event_count=0, result_count=0, available_count=0, scan_count=3748044, drop_count=0, exec_time=1654974545, api_et=1654970340.000000000, api_lt=1654973940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654970340.000000000, search_lt=1654973940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3163", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_936b81b9d0eddbf6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=783, eliminated_buckets=365, considered_events=3748044, total_slices=994228, decompressed_slices=173599, duration.command.search.index=1572, invocations.command.search.index.bucketcache.hit=782, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28982, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=158, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 19:08:44.560, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654974420_86987', total_run_time=20.72, event_count=1123, result_count=56, available_count=0, scan_count=300938, drop_count=0, exec_time=1654974480, api_et=1654970820.000000000, api_lt=1654974420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654970820.000000000, search_lt=1654974482.562082000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=305944, total_slices=591233, decompressed_slices=83806, duration.command.search.index=2828, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23364, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=245985, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26464, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 19:07:44.560, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654974420_86982', total_run_time=4.39, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654974446, api_et=1654970820.000000000, api_lt=1654974420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654970820.000000000, search_lt=1654974447.899721000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d7c71e467b4146d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=2, total_slices=8414, decompressed_slices=2, duration.command.search.index=621, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=262, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:44:30.117, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654972980_86511', total_run_time=20.65, event_count=0, result_count=0, available_count=0, scan_count=3786, drop_count=0, exec_time=1654973018, api_et=1654969380.000000000, api_lt=1654972980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654969380.000000000, search_lt=1654973020.968958000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2972", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_51ae0e5afa2a996f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=3786, total_slices=941622, decompressed_slices=913, duration.command.search.index=996, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4680, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:37:19.671, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654972380_86301', total_run_time=35.87, event_count=0, result_count=0, available_count=0, scan_count=41267397, drop_count=0, exec_time=1654972405, api_et=1654968780.000000000, api_lt=1654972380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654968780.000000000, search_lt=1654972407.549003000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3844", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8328d6db0d281057", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1901, eliminated_buckets=134, considered_events=41267397, total_slices=14590311, decompressed_slices=4229127, duration.command.search.index=14391, invocations.command.search.index.bucketcache.hit=1898, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228385, invocations.command.search.rawdata.bucketcache.hit=296, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:16:41.768, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654971360_85950', total_run_time=10.72, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654971371, api_et=1654967160.000000000, api_lt=1654970760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654967760.000000000, search_lt=1654971373.009133000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3186", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ed9960d94f95b78", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1021, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=808, invocations.command.search.index.bucketcache.hit=1021, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:14:41.595, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654971240_85910', total_run_time=4.79, event_count=0, result_count=0, available_count=0, scan_count=19962, drop_count=0, exec_time=1654971263, api_et=1654967640.000000000, api_lt=1654971240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654967640.000000000, search_lt=1654971265.746289000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=284, considered_events=20233, total_slices=511712, decompressed_slices=2966, duration.command.search.index=1116, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5799, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=30, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=66, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=203, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 18:11:11.095, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654971060_85843', total_run_time=4.95, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654971064, api_et=1654967460.000000000, api_lt=1654971060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654967460.000000000, search_lt=1654971066.380659000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3f948adc1f53f9ac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:09:41.237, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654970940_85809', total_run_time=19.24, event_count=0, result_count=0, available_count=0, scan_count=3702306, drop_count=0, exec_time=1654970945, api_et=1654966740.000000000, api_lt=1654970340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654966740.000000000, search_lt=1654970340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3119", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7f3c0cc3ddf57bff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=782, eliminated_buckets=360, considered_events=3702306, total_slices=976443, decompressed_slices=171372, duration.command.search.index=1582, invocations.command.search.index.bucketcache.hit=780, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28461, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 18:09:41.217, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654970820_85789', total_run_time=24.15, event_count=1240, result_count=62, available_count=0, scan_count=355694, drop_count=0, exec_time=1654970880, api_et=1654967220.000000000, api_lt=1654970820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654967220.000000000, search_lt=1654970882.304621000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2849", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=200, considered_events=361320, total_slices=552156, decompressed_slices=94090, duration.command.search.index=3023, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26139, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=281649, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28678, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 18:07:38.770, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654970820_85784', total_run_time=6.10, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654970846, api_et=1654967220.000000000, api_lt=1654970820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654967220.000000000, search_lt=1654970848.694446000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cb28b8c95a98a9c7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=839, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:44:30.080, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654969380_85321', total_run_time=22.04, event_count=0, result_count=0, available_count=0, scan_count=3463, drop_count=0, exec_time=1654969418, api_et=1654965780.000000000, api_lt=1654969380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965780.000000000, search_lt=1654969420.560400000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3033", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f9e1f0235f8e3cff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3463, total_slices=1064938, decompressed_slices=861, duration.command.search.index=1083, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4999, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:34:07.890, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654968780_85116', total_run_time=35.71, event_count=0, result_count=0, available_count=0, scan_count=41213560, drop_count=0, exec_time=1654968805, api_et=1654965180.000000000, api_lt=1654968780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654965180.000000000, search_lt=1654968807.147112000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f4ecb06f93073d48", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1887, eliminated_buckets=134, considered_events=41213560, total_slices=14310077, decompressed_slices=4207832, duration.command.search.index=14278, invocations.command.search.index.bucketcache.hit=1886, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226961, invocations.command.search.rawdata.bucketcache.hit=287, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:16:25.057, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654967760_84780', total_run_time=9.69, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654967771, api_et=1654963560.000000000, api_lt=1654967160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964160.000000000, search_lt=1654967772.973225000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3157", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4305f359754f3b8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1022, eliminated_buckets=343, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=828, invocations.command.search.index.bucketcache.hit=1022, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:14:54.562, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654967640_84739', total_run_time=4.09, event_count=0, result_count=0, available_count=0, scan_count=15172, drop_count=0, exec_time=1654967663, api_et=1654964040.000000000, api_lt=1654967640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654964040.000000000, search_lt=1654967665.020063000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=285, considered_events=15180, total_slices=575138, decompressed_slices=2273, duration.command.search.index=1013, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5611, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=28, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=68, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=194, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 17:11:24.642, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654967460_84674', total_run_time=5.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654967464, api_et=1654963860.000000000, api_lt=1654967460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963860.000000000, search_lt=1654967466.649292000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6d7a46a53f8707a8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:09:54.654, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654967340_84642', total_run_time=21.71, event_count=0, result_count=0, available_count=0, scan_count=3700091, drop_count=0, exec_time=1654967345, api_et=1654963140.000000000, api_lt=1654966740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963140.000000000, search_lt=1654966740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3070", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_21a880eedf5a9932", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=779, eliminated_buckets=358, considered_events=3700091, total_slices=995982, decompressed_slices=168844, duration.command.search.index=1560, invocations.command.search.index.bucketcache.hit=778, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28094, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=82, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:08:24.473, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654967220_84623', total_run_time=19.41, event_count=1181, result_count=56, available_count=0, scan_count=315950, drop_count=0, exec_time=1654967280, api_et=1654963620.000000000, api_lt=1654967220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963620.000000000, search_lt=1654967282.398686000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3020", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=322653, total_slices=498241, decompressed_slices=87799, duration.command.search.index=3008, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24775, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=256793, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27274, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 17:08:05.643, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654967220_84617', total_run_time=4.22, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654967246, api_et=1654963620.000000000, api_lt=1654967220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654963620.000000000, search_lt=1654967248.375138000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a45730904ec7a99a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=2, total_slices=10858, decompressed_slices=0, duration.command.search.index=620, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=251, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 17:00:24.736, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966740_84428', total_run_time=12.54, event_count=0, result_count=0, available_count=0, scan_count=18476138, drop_count=0, exec_time=1654966790, api_et=1654952340.000000000, api_lt=1654966740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952340.000000000, search_lt=1654966740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2884", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476138, total_slices=1245269, decompressed_slices=357430, duration.command.search.index=6599, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52341, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10327908, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:59:24.785, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966680_84415', total_run_time=11.70, event_count=0, result_count=0, available_count=0, scan_count=18476235, drop_count=0, exec_time=1654966729, api_et=1654952280.000000000, api_lt=1654966680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952280.000000000, search_lt=1654966680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476235, total_slices=1243598, decompressed_slices=357442, duration.command.search.index=6822, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50882, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10329172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:58:24.786, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966620_84398', total_run_time=12.10, event_count=0, result_count=0, available_count=0, scan_count=18475506, drop_count=0, exec_time=1654966670, api_et=1654952220.000000000, api_lt=1654966620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952220.000000000, search_lt=1654966620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18475506, total_slices=1242064, decompressed_slices=357419, duration.command.search.index=7043, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51099, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10328854, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:57:24.567, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966560_84379', total_run_time=11.45, event_count=0, result_count=0, available_count=0, scan_count=18475855, drop_count=0, exec_time=1654966609, api_et=1654952160.000000000, api_lt=1654966560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952160.000000000, search_lt=1654966560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18475855, total_slices=1240411, decompressed_slices=357422, duration.command.search.index=6703, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51747, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10328753, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:56:24.467, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966500_84368', total_run_time=12.95, event_count=0, result_count=0, available_count=0, scan_count=18472687, drop_count=0, exec_time=1654966549, api_et=1654952100.000000000, api_lt=1654966500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952100.000000000, search_lt=1654966500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18472687, total_slices=1238867, decompressed_slices=357436, duration.command.search.index=6936, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52727, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10328258, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:55:24.453, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966440_84352', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=18472277, drop_count=0, exec_time=1654966490, api_et=1654952040.000000000, api_lt=1654966440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952040.000000000, search_lt=1654966440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3144", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18472277, total_slices=1237227, decompressed_slices=357409, duration.command.search.index=6804, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49687, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10329459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:54:24.215, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966380_84335', total_run_time=11.81, event_count=0, result_count=0, available_count=0, scan_count=18472630, drop_count=0, exec_time=1654966429, api_et=1654951980.000000000, api_lt=1654966380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951980.000000000, search_lt=1654966380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3065", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18472630, total_slices=1235536, decompressed_slices=357464, duration.command.search.index=6850, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50083, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10330369, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:54:23.888, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966320_84310', total_run_time=13.48, event_count=0, result_count=0, available_count=0, scan_count=18474350, drop_count=0, exec_time=1654966369, api_et=1654951920.000000000, api_lt=1654966320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951920.000000000, search_lt=1654966320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18474350, total_slices=1233939, decompressed_slices=357482, duration.command.search.index=7226, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51402, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10332134, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:52:05.372, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966260_84293', total_run_time=13.21, event_count=0, result_count=0, available_count=0, scan_count=18475944, drop_count=0, exec_time=1654966310, api_et=1654951860.000000000, api_lt=1654966260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951860.000000000, search_lt=1654966260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18475944, total_slices=1232368, decompressed_slices=357423, duration.command.search.index=7310, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53251, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10333232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:51:05.273, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966200_84268', total_run_time=14.37, event_count=0, result_count=0, available_count=0, scan_count=18476015, drop_count=0, exec_time=1654966248, api_et=1654951800.000000000, api_lt=1654966200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951800.000000000, search_lt=1654966200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2590", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476015, total_slices=1230371, decompressed_slices=357447, duration.command.search.index=8100, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55663, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10334140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:50:05.641, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966140_84246', total_run_time=12.16, event_count=0, result_count=0, available_count=0, scan_count=18475975, drop_count=0, exec_time=1654966190, api_et=1654951740.000000000, api_lt=1654966140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951740.000000000, search_lt=1654966140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18475975, total_slices=1229119, decompressed_slices=357432, duration.command.search.index=6981, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48961, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10334964, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:49:05.598, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966080_84223', total_run_time=12.55, event_count=0, result_count=0, available_count=0, scan_count=18476468, drop_count=0, exec_time=1654966129, api_et=1654951680.000000000, api_lt=1654966080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951680.000000000, search_lt=1654966080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476468, total_slices=1227504, decompressed_slices=357417, duration.command.search.index=7301, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52409, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10336749, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:48:05.236, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654966020_84206', total_run_time=11.76, event_count=0, result_count=0, available_count=0, scan_count=18479482, drop_count=0, exec_time=1654966069, api_et=1654951620.000000000, api_lt=1654966020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951620.000000000, search_lt=1654966020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18479482, total_slices=1225791, decompressed_slices=357436, duration.command.search.index=6826, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52234, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337753, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:47:05.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965960_84184', total_run_time=11.43, event_count=0, result_count=0, available_count=0, scan_count=18476146, drop_count=0, exec_time=1654966009, api_et=1654951560.000000000, api_lt=1654965960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951560.000000000, search_lt=1654965960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476146, total_slices=1223648, decompressed_slices=357339, duration.command.search.index=6515, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49365, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10334536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:46:05.383, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965900_84166', total_run_time=11.41, event_count=0, result_count=0, available_count=0, scan_count=18479832, drop_count=0, exec_time=1654965949, api_et=1654951500.000000000, api_lt=1654965900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951500.000000000, search_lt=1654965900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2583", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18479832, total_slices=1222630, decompressed_slices=357439, duration.command.search.index=6505, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51435, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337805, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:45:05.661, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965840_84144', total_run_time=11.86, event_count=0, result_count=0, available_count=0, scan_count=18479912, drop_count=0, exec_time=1654965890, api_et=1654951440.000000000, api_lt=1654965840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951440.000000000, search_lt=1654965840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18479912, total_slices=1221023, decompressed_slices=357462, duration.command.search.index=6519, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51584, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10339107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:44:05.546, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965780_84123', total_run_time=11.80, event_count=0, result_count=0, available_count=0, scan_count=18480079, drop_count=0, exec_time=1654965830, api_et=1654951380.000000000, api_lt=1654965780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951380.000000000, search_lt=1654965780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18480079, total_slices=1219366, decompressed_slices=357406, duration.command.search.index=6594, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51344, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10340264, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:44:05.376, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654965780_84120', total_run_time=21.33, event_count=0, result_count=0, available_count=0, scan_count=3054, drop_count=0, exec_time=1654965818, api_et=1654962180.000000000, api_lt=1654965780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654962180.000000000, search_lt=1654965820.193098000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_856696b30ffc6f12", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3054, total_slices=1021632, decompressed_slices=747, duration.command.search.index=1078, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4886, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:43:05.504, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965720_84094', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=18480608, drop_count=0, exec_time=1654965769, api_et=1654951320.000000000, api_lt=1654965720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951320.000000000, search_lt=1654965720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18480608, total_slices=1217715, decompressed_slices=357396, duration.command.search.index=7082, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50823, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341096, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:42:05.348, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965660_84071', total_run_time=11.80, event_count=0, result_count=0, available_count=0, scan_count=18476778, drop_count=0, exec_time=1654965709, api_et=1654951260.000000000, api_lt=1654965660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951260.000000000, search_lt=1654965660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476778, total_slices=1216150, decompressed_slices=357333, duration.command.search.index=6755, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51528, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10341613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:41:05.496, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965600_84046', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=18476010, drop_count=0, exec_time=1654965649, api_et=1654951200.000000000, api_lt=1654965600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951200.000000000, search_lt=1654965600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18476010, total_slices=1214489, decompressed_slices=357392, duration.command.search.index=7063, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54877, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10342172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:40:05.302, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965540_84024', total_run_time=12.23, event_count=0, result_count=0, available_count=0, scan_count=18477998, drop_count=0, exec_time=1654965590, api_et=1654951140.000000000, api_lt=1654965540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951140.000000000, search_lt=1654965540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2828", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18477998, total_slices=1212978, decompressed_slices=357453, duration.command.search.index=6599, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52041, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10343759, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:39:04.161, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965420_83993', total_run_time=12.18, event_count=0, result_count=0, available_count=0, scan_count=18477304, drop_count=0, exec_time=1654965469, api_et=1654951020.000000000, api_lt=1654965420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951020.000000000, search_lt=1654965420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18477304, total_slices=1209671, decompressed_slices=357476, duration.command.search.index=6622, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50082, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10343245, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:39:03.219, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965480_84008', total_run_time=12.16, event_count=0, result_count=0, available_count=0, scan_count=18479200, drop_count=0, exec_time=1654965529, api_et=1654951080.000000000, api_lt=1654965480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951080.000000000, search_lt=1654965480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2601", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18479200, total_slices=1211279, decompressed_slices=357478, duration.command.search.index=6985, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48007, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10344519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:37:21.683, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965360_83978', total_run_time=12.00, event_count=0, result_count=0, available_count=0, scan_count=18472294, drop_count=0, exec_time=1654965410, api_et=1654950960.000000000, api_lt=1654965360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950960.000000000, search_lt=1654965360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2812", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18472294, total_slices=1208172, decompressed_slices=357412, duration.command.search.index=6619, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50203, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10339363, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:36:20.104, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965300_83968', total_run_time=12.04, event_count=0, result_count=0, available_count=0, scan_count=18469239, drop_count=0, exec_time=1654965350, api_et=1654950900.000000000, api_lt=1654965300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950900.000000000, search_lt=1654965300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18469239, total_slices=1206504, decompressed_slices=357380, duration.command.search.index=6606, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50432, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10337117, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:35:19.840, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965240_83946', total_run_time=13.22, event_count=0, result_count=0, available_count=0, scan_count=18468019, drop_count=0, exec_time=1654965289, api_et=1654950840.000000000, api_lt=1654965240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950840.000000000, search_lt=1654965240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3038", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18468019, total_slices=1204872, decompressed_slices=357463, duration.command.search.index=7053, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51284, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10335035, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:34:20.473, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654965180_83899', total_run_time=36.84, event_count=0, result_count=0, available_count=0, scan_count=41092143, drop_count=0, exec_time=1654965206, api_et=1654961580.000000000, api_lt=1654965180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654961580.000000000, search_lt=1654965207.923133000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3301", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9dbd42541f0ec3dc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1915, eliminated_buckets=134, considered_events=41092143, total_slices=14486900, decompressed_slices=4197701, duration.command.search.index=13682, invocations.command.search.index.bucketcache.hit=1914, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=224781, invocations.command.search.rawdata.bucketcache.hit=309, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:34:19.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965180_83911', total_run_time=15.54, event_count=0, result_count=0, available_count=0, scan_count=18465639, drop_count=0, exec_time=1654965229, api_et=1654950780.000000000, api_lt=1654965180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950780.000000000, search_lt=1654965180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2582", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18465639, total_slices=1203161, decompressed_slices=357381, duration.command.search.index=7409, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56994, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10333005, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:33:19.682, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965120_83874', total_run_time=13.73, event_count=0, result_count=0, available_count=0, scan_count=18462459, drop_count=0, exec_time=1654965170, api_et=1654950720.000000000, api_lt=1654965120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950720.000000000, search_lt=1654965120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18462459, total_slices=1201516, decompressed_slices=357411, duration.command.search.index=7224, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53455, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10329708, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:32:19.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965060_83845', total_run_time=13.60, event_count=0, result_count=0, available_count=0, scan_count=18460084, drop_count=0, exec_time=1654965110, api_et=1654950660.000000000, api_lt=1654965060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950660.000000000, search_lt=1654965060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18460084, total_slices=1199941, decompressed_slices=357374, duration.command.search.index=7606, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52386, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10327552, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:31:19.962, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654965000_83816', total_run_time=17.96, event_count=0, result_count=0, available_count=0, scan_count=18454887, drop_count=0, exec_time=1654965049, api_et=1654950600.000000000, api_lt=1654965000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950600.000000000, search_lt=1654965000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18454887, total_slices=1198328, decompressed_slices=357292, duration.command.search.index=8173, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60749, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10324304, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:30:19.931, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964940_83788', total_run_time=12.75, event_count=0, result_count=0, available_count=0, scan_count=18447662, drop_count=0, exec_time=1654964990, api_et=1654950540.000000000, api_lt=1654964940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950540.000000000, search_lt=1654964940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2670", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=18447662, total_slices=1196655, decompressed_slices=357275, duration.command.search.index=6307, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53686, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10318316, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:29:19.429, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964880_83774', total_run_time=12.11, event_count=0, result_count=0, available_count=0, scan_count=18441764, drop_count=0, exec_time=1654964930, api_et=1654950480.000000000, api_lt=1654964880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950480.000000000, search_lt=1654964880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=18441764, total_slices=1194960, decompressed_slices=357219, duration.command.search.index=6812, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52027, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10313466, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:29:19.327, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964820_83759', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=18436257, drop_count=0, exec_time=1654964870, api_et=1654950420.000000000, api_lt=1654964820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950420.000000000, search_lt=1654964820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=18436257, total_slices=1193368, decompressed_slices=357193, duration.command.search.index=6707, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51610, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10308528, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:27:09.205, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964760_83740', total_run_time=11.43, event_count=0, result_count=0, available_count=0, scan_count=18433322, drop_count=0, exec_time=1654964809, api_et=1654950360.000000000, api_lt=1654964760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950360.000000000, search_lt=1654964760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2481", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=18433322, total_slices=1191750, decompressed_slices=357175, duration.command.search.index=6673, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51394, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10304132, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:26:09.238, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964700_83724', total_run_time=11.89, event_count=0, result_count=0, available_count=0, scan_count=18426323, drop_count=0, exec_time=1654964749, api_et=1654950300.000000000, api_lt=1654964700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950300.000000000, search_lt=1654964700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2984", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=18426323, total_slices=1190194, decompressed_slices=357097, duration.command.search.index=6432, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50439, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10301824, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:25:09.073, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964640_83710', total_run_time=12.36, event_count=0, result_count=0, available_count=0, scan_count=18421814, drop_count=0, exec_time=1654964689, api_et=1654950240.000000000, api_lt=1654964640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950240.000000000, search_lt=1654964640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=18421814, total_slices=1188399, decompressed_slices=357125, duration.command.search.index=7146, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50628, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10300728, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:24:09.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964580_83692', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=18421835, drop_count=0, exec_time=1654964629, api_et=1654950180.000000000, api_lt=1654964580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950180.000000000, search_lt=1654964580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=18421835, total_slices=1186787, decompressed_slices=357255, duration.command.search.index=6727, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49228, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10301291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:23:09.374, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964520_83659', total_run_time=11.50, event_count=0, result_count=0, available_count=0, scan_count=18417202, drop_count=0, exec_time=1654964569, api_et=1654950120.000000000, api_lt=1654964520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950120.000000000, search_lt=1654964520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2571", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18417202, total_slices=1184973, decompressed_slices=357210, duration.command.search.index=6659, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50710, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10300721, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:22:09.177, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964460_83643', total_run_time=13.61, event_count=0, result_count=0, available_count=0, scan_count=18414286, drop_count=0, exec_time=1654964509, api_et=1654950060.000000000, api_lt=1654964460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950060.000000000, search_lt=1654964460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18414286, total_slices=1183492, decompressed_slices=357147, duration.command.search.index=7038, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49358, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10299454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:21:39.327, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654964400_83616', total_run_time=14.89, event_count=10298386, result_count=15, available_count=0, scan_count=18413099, drop_count=0, exec_time=1654964457, api_et=1654950000.000000000, api_lt=1654964400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950000.000000000, search_lt=1654964400.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18413099, total_slices=1182116, decompressed_slices=357181, duration.command.search.index=7550, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54558, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:21:09.903, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964400_83613', total_run_time=13.91, event_count=0, result_count=0, available_count=0, scan_count=18413099, drop_count=0, exec_time=1654964449, api_et=1654950000.000000000, api_lt=1654964400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950000.000000000, search_lt=1654964400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18413099, total_slices=1181959, decompressed_slices=357180, duration.command.search.index=7772, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53599, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:20:09.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964340_83589', total_run_time=11.75, event_count=0, result_count=0, available_count=0, scan_count=18411333, drop_count=0, exec_time=1654964389, api_et=1654949940.000000000, api_lt=1654964340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949940.000000000, search_lt=1654964340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2588", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411333, total_slices=1180285, decompressed_slices=357162, duration.command.search.index=6715, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48690, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298794, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:19:09.125, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964280_83563', total_run_time=13.61, event_count=0, result_count=0, available_count=0, scan_count=18407116, drop_count=0, exec_time=1654964330, api_et=1654949880.000000000, api_lt=1654964280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949880.000000000, search_lt=1654964280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18407116, total_slices=1178684, decompressed_slices=357065, duration.command.search.index=8020, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56645, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10295589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:18:32.953, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964220_83542', total_run_time=12.65, event_count=0, result_count=0, available_count=0, scan_count=18408628, drop_count=0, exec_time=1654964269, api_et=1654949820.000000000, api_lt=1654964220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949820.000000000, search_lt=1654964220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2601", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18408628, total_slices=1177000, decompressed_slices=357097, duration.command.search.index=6713, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51483, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296287, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:17:09.124, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964160_83518', total_run_time=11.58, event_count=0, result_count=0, available_count=0, scan_count=18410253, drop_count=0, exec_time=1654964209, api_et=1654949760.000000000, api_lt=1654964160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949760.000000000, search_lt=1654964160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18410253, total_slices=1175416, decompressed_slices=357169, duration.command.search.index=6810, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48710, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10295183, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:16:39.325, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654964160_83512', total_run_time=8.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654964170, api_et=1654959960.000000000, api_lt=1654963560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654960560.000000000, search_lt=1654964173.124303000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2149a48dea37c97a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1022, eliminated_buckets=342, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=639, invocations.command.search.index.bucketcache.hit=1022, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:16:09.465, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964100_83501', total_run_time=11.78, event_count=0, result_count=0, available_count=0, scan_count=18411199, drop_count=0, exec_time=1654964150, api_et=1654949700.000000000, api_lt=1654964100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949700.000000000, search_lt=1654964100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411199, total_slices=1173815, decompressed_slices=357169, duration.command.search.index=6508, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51868, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10295856, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:15:09.230, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654964040_83481', total_run_time=11.67, event_count=0, result_count=0, available_count=0, scan_count=18411030, drop_count=0, exec_time=1654964089, api_et=1654949640.000000000, api_lt=1654964040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949640.000000000, search_lt=1654964040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411030, total_slices=1172167, decompressed_slices=357129, duration.command.search.index=6359, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52313, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10295996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:14:30.278, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963980_83459', total_run_time=11.41, event_count=0, result_count=0, available_count=0, scan_count=18411096, drop_count=0, exec_time=1654964029, api_et=1654949580.000000000, api_lt=1654963980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949580.000000000, search_lt=1654963980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2559", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411096, total_slices=1170560, decompressed_slices=357066, duration.command.search.index=6756, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52414, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:14:30.230, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654964040_83469', total_run_time=4.37, event_count=0, result_count=0, available_count=0, scan_count=13784, drop_count=0, exec_time=1654964063, api_et=1654960440.000000000, api_lt=1654964040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654960440.000000000, search_lt=1654964065.412428000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=286, considered_events=13784, total_slices=616639, decompressed_slices=1990, duration.command.search.index=973, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5686, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=50, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=145, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=65, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 16:14:30.001, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963920_83431', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=18412702, drop_count=0, exec_time=1654963969, api_et=1654949520.000000000, api_lt=1654963920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949520.000000000, search_lt=1654963920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18412702, total_slices=1168933, decompressed_slices=357159, duration.command.search.index=6666, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51867, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10297068, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:12:28.919, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963860_83413', total_run_time=12.40, event_count=0, result_count=0, available_count=0, scan_count=18415313, drop_count=0, exec_time=1654963909, api_et=1654949460.000000000, api_lt=1654963860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949460.000000000, search_lt=1654963860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2980", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18415313, total_slices=1167471, decompressed_slices=357134, duration.command.search.index=6891, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48994, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10297236, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:11:28.946, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963800_83388', total_run_time=14.20, event_count=0, result_count=0, available_count=0, scan_count=18416694, drop_count=0, exec_time=1654963849, api_et=1654949400.000000000, api_lt=1654963800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949400.000000000, search_lt=1654963800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2579", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18416694, total_slices=1165867, decompressed_slices=357144, duration.command.search.index=7511, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51517, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298564, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:11:28.789, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654963860_83395', total_run_time=5.17, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654963864, api_et=1654960260.000000000, api_lt=1654963860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654960260.000000000, search_lt=1654963866.883056000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3014", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c47ce10064bb0f27", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:10:29.070, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963740_83369', total_run_time=12.02, event_count=0, result_count=0, available_count=0, scan_count=18415754, drop_count=0, exec_time=1654963789, api_et=1654949340.000000000, api_lt=1654963740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949340.000000000, search_lt=1654963740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2575", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18415754, total_slices=1164205, decompressed_slices=357128, duration.command.search.index=6539, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51803, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10298613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:09:28.947, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654963740_83361', total_run_time=21.24, event_count=0, result_count=0, available_count=0, scan_count=3700888, drop_count=0, exec_time=1654963745, api_et=1654959540.000000000, api_lt=1654963140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654959540.000000000, search_lt=1654963140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2950", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5e8f5508aaa92149", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=369, considered_events=3700888, total_slices=984133, decompressed_slices=167480, duration.command.search.index=1551, invocations.command.search.index.bucketcache.hit=789, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=27981, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:09:13.684, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963680_83353', total_run_time=10.78, event_count=0, result_count=0, available_count=0, scan_count=18411400, drop_count=0, exec_time=1654963729, api_et=1654949280.000000000, api_lt=1654963680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949280.000000000, search_lt=1654963680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411400, total_slices=1162526, decompressed_slices=357074, duration.command.search.index=6514, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49100, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10297586, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:08:58.238, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654963620_83345', total_run_time=24.21, event_count=1153, result_count=56, available_count=0, scan_count=317756, drop_count=0, exec_time=1654963684, api_et=1654960020.000000000, api_lt=1654963620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654960020.000000000, search_lt=1654963686.309735000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2910", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=199, considered_events=323513, total_slices=478402, decompressed_slices=87816, duration.command.search.index=3018, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24672, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=256978, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27684, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 16:08:58.154, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654963620_83331', total_run_time=5.83, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654963646, api_et=1654960020.000000000, api_lt=1654963620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654960020.000000000, search_lt=1654963648.330888000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_42b739e1b441a81f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=199, considered_events=1, total_slices=5268, decompressed_slices=1, duration.command.search.index=698, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=206, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 16:08:58.065, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963620_83336', total_run_time=11.43, event_count=0, result_count=0, available_count=0, scan_count=18413520, drop_count=0, exec_time=1654963669, api_et=1654949220.000000000, api_lt=1654963620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949220.000000000, search_lt=1654963620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18413520, total_slices=1160814, decompressed_slices=357127, duration.command.search.index=6789, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50566, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296451, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:07:29.009, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963560_83315', total_run_time=11.99, event_count=0, result_count=0, available_count=0, scan_count=18414480, drop_count=0, exec_time=1654963609, api_et=1654949160.000000000, api_lt=1654963560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949160.000000000, search_lt=1654963560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18414480, total_slices=1159443, decompressed_slices=357123, duration.command.search.index=6875, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52094, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10296694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:06:28.979, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963500_83301', total_run_time=13.99, event_count=0, result_count=0, available_count=0, scan_count=18412730, drop_count=0, exec_time=1654963550, api_et=1654949100.000000000, api_lt=1654963500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949100.000000000, search_lt=1654963500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18412730, total_slices=1157818, decompressed_slices=357086, duration.command.search.index=7307, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52089, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10297708, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:05:15.202, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963440_83284', total_run_time=13.66, event_count=0, result_count=0, available_count=0, scan_count=18411799, drop_count=0, exec_time=1654963489, api_et=1654949040.000000000, api_lt=1654963440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949040.000000000, search_lt=1654963440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18411799, total_slices=1156300, decompressed_slices=357063, duration.command.search.index=7731, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55036, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10297727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:04:47.929, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963380_83242', total_run_time=17.57, event_count=0, result_count=0, available_count=0, scan_count=18412745, drop_count=0, exec_time=1654963430, api_et=1654948980.000000000, api_lt=1654963380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654948980.000000000, search_lt=1654963380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18412745, total_slices=1154680, decompressed_slices=357064, duration.command.search.index=9475, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75017, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10299216, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:04:47.799, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963320_83196', total_run_time=20.36, event_count=0, result_count=0, available_count=0, scan_count=18413207, drop_count=0, exec_time=1654963369, api_et=1654948920.000000000, api_lt=1654963320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654948920.000000000, search_lt=1654963320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18413207, total_slices=1152888, decompressed_slices=357023, duration.command.search.index=9853, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79682, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10299604, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:02:28.382, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963260_83165', total_run_time=16.51, event_count=0, result_count=0, available_count=0, scan_count=18412284, drop_count=0, exec_time=1654963309, api_et=1654948860.000000000, api_lt=1654963260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654948860.000000000, search_lt=1654963260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18412284, total_slices=1151328, decompressed_slices=356975, duration.command.search.index=8872, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70818, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10302168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 16:01:27.818, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654963200_83135', total_run_time=21.24, event_count=0, result_count=0, available_count=0, scan_count=18413053, drop_count=0, exec_time=1654963250, api_et=1654948800.000000000, api_lt=1654963200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654948800.000000000, search_lt=1654963200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=18413053, total_slices=1149801, decompressed_slices=356950, duration.command.search.index=9153, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76194, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10306115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 15:44:23.733, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654962180_82846', total_run_time=24.41, event_count=0, result_count=0, available_count=0, scan_count=3756, drop_count=0, exec_time=1654962217, api_et=1654958580.000000000, api_lt=1654962180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654958580.000000000, search_lt=1654962219.741961000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2572", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_10c6f584f63a9abc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=3756, total_slices=971431, decompressed_slices=989, duration.command.search.index=1086, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4833, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 15:36:42.576, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654961580_82639', total_run_time=42.90, event_count=0, result_count=0, available_count=0, scan_count=41238364, drop_count=0, exec_time=1654961605, api_et=1654957980.000000000, api_lt=1654961580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654957980.000000000, search_lt=1654961607.602903000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2e2400cec4bb0ec1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1902, eliminated_buckets=134, considered_events=41238364, total_slices=14599346, decompressed_slices=4204443, duration.command.search.index=14433, invocations.command.search.index.bucketcache.hit=1898, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232147, invocations.command.search.rawdata.bucketcache.hit=293, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 15:16:40.798, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654960560_82295', total_run_time=13.24, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654960571, api_et=1654956360.000000000, api_lt=1654959960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654956960.000000000, search_lt=1654960573.060591000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3352", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_37fd0e0dbfbe5684", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1030, eliminated_buckets=348, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=613, invocations.command.search.index.bucketcache.hit=1029, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 15:14:40.753, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654960440_82255', total_run_time=4.05, event_count=0, result_count=0, available_count=0, scan_count=14275, drop_count=0, exec_time=1654960463, api_et=1654956840.000000000, api_lt=1654960440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654956840.000000000, search_lt=1654960465.110025000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=284, considered_events=14576, total_slices=636404, decompressed_slices=2443, duration.command.search.index=1019, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5562, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=88, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=235, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=54, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=72, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 15:11:25.670, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654960260_82188', total_run_time=4.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654960263, api_et=1654956660.000000000, api_lt=1654960260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654956660.000000000, search_lt=1654960265.777854000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_43c02203d9f4468d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 15:09:55.446, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654960140_82154', total_run_time=23.38, event_count=0, result_count=0, available_count=0, scan_count=3748249, drop_count=0, exec_time=1654960145, api_et=1654955940.000000000, api_lt=1654959540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654955940.000000000, search_lt=1654959540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2955", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9bc5136b30f147af", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=778, eliminated_buckets=361, considered_events=3748249, total_slices=994842, decompressed_slices=170161, duration.command.search.index=1943, invocations.command.search.index.bucketcache.hit=778, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32811, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=83, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 15:08:37.972, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654960020_82135', total_run_time=21.22, event_count=1109, result_count=56, available_count=0, scan_count=293147, drop_count=0, exec_time=1654960080, api_et=1654956420.000000000, api_lt=1654960020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654956420.000000000, search_lt=1654960082.205057000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=299657, total_slices=483536, decompressed_slices=80262, duration.command.search.index=2774, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23560, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=235974, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25359, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 15:08:37.677, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654960020_82130', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654960046, api_et=1654956420.000000000, api_lt=1654960020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654956420.000000000, search_lt=1654960048.885277000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2894", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a619c142e3ce2be6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=598, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:44:22.409, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654958580_81654', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=3161, drop_count=0, exec_time=1654958618, api_et=1654954980.000000000, api_lt=1654958580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654954980.000000000, search_lt=1654958620.126457000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2895", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5147eb703253a799", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3161, total_slices=877145, decompressed_slices=913, duration.command.search.index=1046, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4704, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:38:05.656, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654957980_81444', total_run_time=35.52, event_count=0, result_count=0, available_count=0, scan_count=41463784, drop_count=0, exec_time=1654958005, api_et=1654954380.000000000, api_lt=1654957980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654954380.000000000, search_lt=1654958007.250089000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_03250b532df9d67e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=134, considered_events=41463784, total_slices=14387105, decompressed_slices=4219662, duration.command.search.index=14524, invocations.command.search.index.bucketcache.hit=1869, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226428, invocations.command.search.rawdata.bucketcache.hit=267, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:16:42.724, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654956960_81094', total_run_time=8.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654956970, api_et=1654952760.000000000, api_lt=1654956360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654953360.000000000, search_lt=1654956972.183435000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3281", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a9f9c324c104350a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1029, eliminated_buckets=351, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=667, invocations.command.search.index.bucketcache.hit=1029, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:14:42.753, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654956840_81054', total_run_time=4.33, event_count=0, result_count=0, available_count=0, scan_count=11581, drop_count=0, exec_time=1654956863, api_et=1654953240.000000000, api_lt=1654956840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654953240.000000000, search_lt=1654956865.082959000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2802", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=430, eliminated_buckets=297, considered_events=11581, total_slices=769868, decompressed_slices=1926, duration.command.search.index=1080, invocations.command.search.index.bucketcache.hit=428, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5620, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=29, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=15, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=176, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=38, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 14:11:12.633, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654956660_80987', total_run_time=5.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654956664, api_et=1654953060.000000000, api_lt=1654956660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654953060.000000000, search_lt=1654956666.980587000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3119", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d24e9f01dca54223", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:09:44.224, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654956540_80956', total_run_time=18.84, event_count=0, result_count=0, available_count=0, scan_count=3822590, drop_count=0, exec_time=1654956545, api_et=1654952340.000000000, api_lt=1654955940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952340.000000000, search_lt=1654955940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3070", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_edbbef5056f48620", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=366, considered_events=3822590, total_slices=1081999, decompressed_slices=173034, duration.command.search.index=1639, invocations.command.search.index.bucketcache.hit=789, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28119, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 14:09:43.746, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654956420_80942', total_run_time=22.07, event_count=2188, result_count=109, available_count=0, scan_count=372645, drop_count=0, exec_time=1654956484, api_et=1654952820.000000000, api_lt=1654956420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952820.000000000, search_lt=1654956486.448065000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2874", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=203, considered_events=380874, total_slices=641113, decompressed_slices=94649, duration.command.search.index=3377, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26360, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=303819, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36844, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 14:07:45.398, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654956420_80931', total_run_time=5.54, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654956446, api_et=1654952820.000000000, api_lt=1654956420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654952820.000000000, search_lt=1654956448.001800000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6aab240956532b89", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=707, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:44:10.451, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654954980_80465', total_run_time=22.03, event_count=0, result_count=0, available_count=0, scan_count=3714, drop_count=0, exec_time=1654955018, api_et=1654951380.000000000, api_lt=1654954980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654951380.000000000, search_lt=1654955020.314752000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2881", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_632630e44ad46d70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3714, total_slices=764508, decompressed_slices=1054, duration.command.search.index=996, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4868, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:35:12.623, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654954380_80259', total_run_time=35.45, event_count=0, result_count=0, available_count=0, scan_count=41613351, drop_count=0, exec_time=1654954405, api_et=1654950780.000000000, api_lt=1654954380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654950780.000000000, search_lt=1654954407.730060000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_960f6c563d272f1f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1866, eliminated_buckets=134, considered_events=41613351, total_slices=14414106, decompressed_slices=4219904, duration.command.search.index=14451, invocations.command.search.index.bucketcache.hit=1864, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228903, invocations.command.search.rawdata.bucketcache.hit=282, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:16:27.557, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654953360_79918', total_run_time=9.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654953371, api_et=1654949160.000000000, api_lt=1654952760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949760.000000000, search_lt=1654953373.187723000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3261", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_01511d19e24cf2e8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1032, eliminated_buckets=351, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=746, invocations.command.search.index.bucketcache.hit=1032, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:14:43.192, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654953240_79878', total_run_time=4.87, event_count=0, result_count=0, available_count=0, scan_count=11021, drop_count=0, exec_time=1654953263, api_et=1654949640.000000000, api_lt=1654953240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949640.000000000, search_lt=1654953265.157712000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=286, considered_events=11021, total_slices=775160, decompressed_slices=1974, duration.command.search.index=957, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5404, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=32, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=424, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=24, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=54, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 13:11:27.684, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654953060_79813', total_run_time=5.26, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654953064, api_et=1654949460.000000000, api_lt=1654953060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949460.000000000, search_lt=1654953066.978302000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3105", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_afb347e946db9ec4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:09:57.137, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654952940_79782', total_run_time=21.47, event_count=0, result_count=0, available_count=0, scan_count=3757220, drop_count=0, exec_time=1654952945, api_et=1654948740.000000000, api_lt=1654952340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654948740.000000000, search_lt=1654952340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8a08675df83fd6b2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=367, considered_events=3757220, total_slices=1089436, decompressed_slices=173736, duration.command.search.index=1623, invocations.command.search.index.bucketcache.hit=789, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28852, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=108, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:08:50.149, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654952820_79758', total_run_time=6.75, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654952846, api_et=1654949220.000000000, api_lt=1654952820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949220.000000000, search_lt=1654952848.577426000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e2f8e9c4c3a3ba3b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=200, considered_events=1, total_slices=2229, decompressed_slices=1, duration.command.search.index=629, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=147, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 13:08:50.007, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654952820_79763', total_run_time=19.43, event_count=1922, result_count=109, available_count=0, scan_count=356985, drop_count=0, exec_time=1654952880, api_et=1654949220.000000000, api_lt=1654952820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654949220.000000000, search_lt=1654952882.366112000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=200, considered_events=366742, total_slices=646079, decompressed_slices=88118, duration.command.search.index=3271, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26471, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=294555, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34584, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 13:00:26.985, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952340_79570', total_run_time=25.17, event_count=0, result_count=0, available_count=0, scan_count=18875036, drop_count=0, exec_time=1654952390, api_et=1654937940.000000000, api_lt=1654952340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937940.000000000, search_lt=1654952340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3204", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18875036, total_slices=1122339, decompressed_slices=363727, duration.command.search.index=6630, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61526, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658733, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:59:26.953, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952280_79557', total_run_time=15.60, event_count=0, result_count=0, available_count=0, scan_count=18874896, drop_count=0, exec_time=1654952329, api_et=1654937880.000000000, api_lt=1654952280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937880.000000000, search_lt=1654952280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18874896, total_slices=1120728, decompressed_slices=363793, duration.command.search.index=7150, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53398, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658344, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:58:27.221, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952220_79542', total_run_time=19.86, event_count=0, result_count=0, available_count=0, scan_count=18875971, drop_count=0, exec_time=1654952269, api_et=1654937820.000000000, api_lt=1654952220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937820.000000000, search_lt=1654952220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18875971, total_slices=1119100, decompressed_slices=363712, duration.command.search.index=7004, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56919, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658707, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:57:26.897, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952160_79524', total_run_time=19.10, event_count=0, result_count=0, available_count=0, scan_count=18876315, drop_count=0, exec_time=1654952209, api_et=1654937760.000000000, api_lt=1654952160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937760.000000000, search_lt=1654952160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2564", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18876315, total_slices=1117473, decompressed_slices=363710, duration.command.search.index=7015, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56091, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658233, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:56:27.112, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952100_79513', total_run_time=16.00, event_count=0, result_count=0, available_count=0, scan_count=18875913, drop_count=0, exec_time=1654952149, api_et=1654937700.000000000, api_lt=1654952100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937700.000000000, search_lt=1654952100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18875913, total_slices=1115905, decompressed_slices=363686, duration.command.search.index=6972, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56077, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10657720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:55:27.111, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654952040_79496', total_run_time=21.36, event_count=0, result_count=0, available_count=0, scan_count=18879458, drop_count=0, exec_time=1654952089, api_et=1654937640.000000000, api_lt=1654952040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937640.000000000, search_lt=1654952040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18879458, total_slices=1114319, decompressed_slices=363741, duration.command.search.index=7102, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52050, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659429, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:54:27.085, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951980_79479', total_run_time=24.93, event_count=0, result_count=0, available_count=0, scan_count=18882393, drop_count=0, exec_time=1654952029, api_et=1654937580.000000000, api_lt=1654951980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937580.000000000, search_lt=1654951980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3221", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18882393, total_slices=1112622, decompressed_slices=363809, duration.command.search.index=7039, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54570, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659730, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:53:52.464, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951920_79455', total_run_time=25.73, event_count=0, result_count=0, available_count=0, scan_count=18883234, drop_count=0, exec_time=1654951969, api_et=1654937520.000000000, api_lt=1654951920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937520.000000000, search_lt=1654951920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18883234, total_slices=1110932, decompressed_slices=363805, duration.command.search.index=7592, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58709, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659192, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:52:26.955, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951860_79438', total_run_time=22.39, event_count=0, result_count=0, available_count=0, scan_count=18882122, drop_count=0, exec_time=1654951910, api_et=1654937460.000000000, api_lt=1654951860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937460.000000000, search_lt=1654951860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18882122, total_slices=1109478, decompressed_slices=363879, duration.command.search.index=7922, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61657, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10658392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:51:57.404, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951800_79414', total_run_time=38.41, event_count=0, result_count=0, available_count=0, scan_count=18884935, drop_count=0, exec_time=1654951849, api_et=1654937400.000000000, api_lt=1654951800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937400.000000000, search_lt=1654951800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2655", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18884935, total_slices=1107813, decompressed_slices=363908, duration.command.search.index=8313, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65281, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:50:17.262, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951740_79391', total_run_time=27.21, event_count=0, result_count=0, available_count=0, scan_count=18886478, drop_count=0, exec_time=1654951789, api_et=1654937340.000000000, api_lt=1654951740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937340.000000000, search_lt=1654951740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18886478, total_slices=1106200, decompressed_slices=363987, duration.command.search.index=7566, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56042, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:50:17.067, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951620_79353', total_run_time=17.64, event_count=0, result_count=0, available_count=0, scan_count=18886161, drop_count=0, exec_time=1654951669, api_et=1654937220.000000000, api_lt=1654951620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937220.000000000, search_lt=1654951620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18886161, total_slices=1102844, decompressed_slices=363970, duration.command.search.index=7177, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56042, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:50:16.967, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951680_79369', total_run_time=20.63, event_count=0, result_count=0, available_count=0, scan_count=18886630, drop_count=0, exec_time=1654951729, api_et=1654937280.000000000, api_lt=1654951680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937280.000000000, search_lt=1654951680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=18886630, total_slices=1104511, decompressed_slices=364013, duration.command.search.index=7137, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56500, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:47:26.950, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951560_79332', total_run_time=21.26, event_count=0, result_count=0, available_count=0, scan_count=18884936, drop_count=0, exec_time=1654951609, api_et=1654937160.000000000, api_lt=1654951560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937160.000000000, search_lt=1654951560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18884936, total_slices=1127063, decompressed_slices=364070, duration.command.search.index=6880, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56633, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10659010, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:46:25.389, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951500_79314', total_run_time=19.76, event_count=0, result_count=0, available_count=0, scan_count=18888123, drop_count=0, exec_time=1654951549, api_et=1654937100.000000000, api_lt=1654951500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937100.000000000, search_lt=1654951500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18888123, total_slices=1125889, decompressed_slices=364159, duration.command.search.index=7381, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57259, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10660489, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:45:25.774, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951440_79291', total_run_time=21.49, event_count=0, result_count=0, available_count=0, scan_count=18890779, drop_count=0, exec_time=1654951490, api_et=1654937040.000000000, api_lt=1654951440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937040.000000000, search_lt=1654951440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3430", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=18890779, total_slices=1124277, decompressed_slices=364185, duration.command.search.index=7163, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59488, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10661558, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:44:25.526, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951380_79270', total_run_time=28.10, event_count=0, result_count=0, available_count=0, scan_count=18893400, drop_count=0, exec_time=1654951429, api_et=1654936980.000000000, api_lt=1654951380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936980.000000000, search_lt=1654951380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3069", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18893400, total_slices=1122740, decompressed_slices=364281, duration.command.search.index=7449, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64027, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10662818, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:44:25.451, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654951380_79267', total_run_time=37.70, event_count=0, result_count=0, available_count=0, scan_count=3961, drop_count=0, exec_time=1654951418, api_et=1654947780.000000000, api_lt=1654951380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654947780.000000000, search_lt=1654951419.939518000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2844", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_354d4cfa0d6595d9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3961, total_slices=725711, decompressed_slices=1023, duration.command.search.index=1265, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5434, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:43:25.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951320_79242', total_run_time=24.96, event_count=0, result_count=0, available_count=0, scan_count=18897108, drop_count=0, exec_time=1654951369, api_et=1654936920.000000000, api_lt=1654951320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936920.000000000, search_lt=1654951320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18897108, total_slices=1121068, decompressed_slices=364369, duration.command.search.index=7806, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68194, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10664392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:42:25.640, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951260_79219', total_run_time=19.74, event_count=0, result_count=0, available_count=0, scan_count=18899902, drop_count=0, exec_time=1654951309, api_et=1654936860.000000000, api_lt=1654951260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936860.000000000, search_lt=1654951260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18899902, total_slices=1119017, decompressed_slices=364309, duration.command.search.index=7571, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59500, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10666018, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:41:25.787, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951200_79194', total_run_time=30.47, event_count=0, result_count=0, available_count=0, scan_count=18901761, drop_count=0, exec_time=1654951250, api_et=1654936800.000000000, api_lt=1654951200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936800.000000000, search_lt=1654951200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18901761, total_slices=1117961, decompressed_slices=364299, duration.command.search.index=7685, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65056, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10667262, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:40:24.837, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951020_79141', total_run_time=18.63, event_count=0, result_count=0, available_count=0, scan_count=18912774, drop_count=0, exec_time=1654951069, api_et=1654936620.000000000, api_lt=1654951020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936620.000000000, search_lt=1654951020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=18912774, total_slices=1139484, decompressed_slices=364546, duration.command.search.index=7151, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56236, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10672876, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:40:24.744, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951080_79156', total_run_time=16.77, event_count=0, result_count=0, available_count=0, scan_count=18908190, drop_count=0, exec_time=1654951129, api_et=1654936680.000000000, api_lt=1654951080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936680.000000000, search_lt=1654951080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2596", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18908190, total_slices=1114557, decompressed_slices=364545, duration.command.search.index=7111, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56317, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10670740, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:40:23.721, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654950780_79045', total_run_time=308.82, event_count=0, result_count=0, available_count=0, scan_count=41702762, drop_count=0, exec_time=1654950805, api_et=1654947180.000000000, api_lt=1654950780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654947180.000000000, search_lt=1654950807.764387000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3859", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8d0c3f4394a16873", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1842, eliminated_buckets=134, considered_events=41702762, total_slices=14445852, decompressed_slices=4212516, duration.command.search.index=15109, invocations.command.search.index.bucketcache.hit=1842, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236019, invocations.command.search.rawdata.bucketcache.hit=276, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:40:23.585, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654951140_79172', total_run_time=22.26, event_count=0, result_count=0, available_count=0, scan_count=18905162, drop_count=0, exec_time=1654951190, api_et=1654936740.000000000, api_lt=1654951140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936740.000000000, search_lt=1654951140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=18905162, total_slices=1116231, decompressed_slices=364413, duration.command.search.index=7212, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62064, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10669143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:37:11.442, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950960_79126', total_run_time=18.32, event_count=0, result_count=0, available_count=0, scan_count=18915269, drop_count=0, exec_time=1654951010, api_et=1654936560.000000000, api_lt=1654950960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936560.000000000, search_lt=1654950960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=18915269, total_slices=1138032, decompressed_slices=364576, duration.command.search.index=7143, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57860, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10676004, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:36:41.744, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950900_79116', total_run_time=31.35, event_count=0, result_count=0, available_count=0, scan_count=18920739, drop_count=0, exec_time=1654950950, api_et=1654936500.000000000, api_lt=1654950900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936500.000000000, search_lt=1654950900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18920739, total_slices=1162879, decompressed_slices=364700, duration.command.search.index=8027, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63808, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10680625, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:35:30.293, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950840_79095', total_run_time=20.21, event_count=0, result_count=0, available_count=0, scan_count=18926353, drop_count=0, exec_time=1654950889, api_et=1654936440.000000000, api_lt=1654950840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936440.000000000, search_lt=1654950840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18926353, total_slices=1161273, decompressed_slices=364733, duration.command.search.index=7371, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57267, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10684770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:35:07.974, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950720_79022', total_run_time=29.37, event_count=0, result_count=0, available_count=0, scan_count=18936021, drop_count=0, exec_time=1654950770, api_et=1654936320.000000000, api_lt=1654950720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936320.000000000, search_lt=1654950720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18936021, total_slices=1158036, decompressed_slices=364688, duration.command.search.index=9160, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80382, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10692282, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:35:07.100, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950780_79059', total_run_time=25.82, event_count=0, result_count=0, available_count=0, scan_count=18928885, drop_count=0, exec_time=1654950829, api_et=1654936380.000000000, api_lt=1654950780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936380.000000000, search_lt=1654950780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2670", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18928885, total_slices=1159602, decompressed_slices=364715, duration.command.search.index=8062, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64318, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10687997, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:32:36.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950660_78992', total_run_time=37.99, event_count=0, result_count=0, available_count=0, scan_count=18937819, drop_count=0, exec_time=1654950710, api_et=1654936260.000000000, api_lt=1654950660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936260.000000000, search_lt=1654950660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3180", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18937819, total_slices=1156528, decompressed_slices=364680, duration.command.search.index=9903, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83196, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10693307, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:32:06.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950600_78963', total_run_time=47.44, event_count=0, result_count=0, available_count=0, scan_count=18944261, drop_count=0, exec_time=1654950649, api_et=1654936200.000000000, api_lt=1654950600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936200.000000000, search_lt=1654950600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3196", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18944261, total_slices=1154763, decompressed_slices=364771, duration.command.search.index=12673, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95717, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10698589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:30:35.397, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950540_78935', total_run_time=22.76, event_count=0, result_count=0, available_count=0, scan_count=18952971, drop_count=0, exec_time=1654950589, api_et=1654936140.000000000, api_lt=1654950540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936140.000000000, search_lt=1654950540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18952971, total_slices=1153294, decompressed_slices=364827, duration.command.search.index=7515, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61806, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10704492, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:30:05.769, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950420_78908', total_run_time=21.02, event_count=0, result_count=0, available_count=0, scan_count=18962699, drop_count=0, exec_time=1654950469, api_et=1654936020.000000000, api_lt=1654950420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936020.000000000, search_lt=1654950420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=18962699, total_slices=1176032, decompressed_slices=364914, duration.command.search.index=7579, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62386, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10711938, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:30:05.695, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950480_78922', total_run_time=19.52, event_count=0, result_count=0, available_count=0, scan_count=18958650, drop_count=0, exec_time=1654950530, api_et=1654936080.000000000, api_lt=1654950480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936080.000000000, search_lt=1654950480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=18958650, total_slices=1151600, decompressed_slices=364894, duration.command.search.index=7682, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69944, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10708414, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:27:23.067, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950360_78889', total_run_time=21.92, event_count=0, result_count=0, available_count=0, scan_count=18964804, drop_count=0, exec_time=1654950409, api_et=1654935960.000000000, api_lt=1654950360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935960.000000000, search_lt=1654950360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2604", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18964804, total_slices=1174416, decompressed_slices=364913, duration.command.search.index=7753, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65136, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10716424, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:26:23.068, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950300_78873', total_run_time=23.78, event_count=0, result_count=0, available_count=0, scan_count=18967472, drop_count=0, exec_time=1654950349, api_et=1654935900.000000000, api_lt=1654950300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935900.000000000, search_lt=1654950300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18967472, total_slices=1172893, decompressed_slices=364971, duration.command.search.index=7855, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65305, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10718997, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:25:23.688, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950240_78859', total_run_time=22.40, event_count=0, result_count=0, available_count=0, scan_count=18969025, drop_count=0, exec_time=1654950290, api_et=1654935840.000000000, api_lt=1654950240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935840.000000000, search_lt=1654950240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18969025, total_slices=1171281, decompressed_slices=364995, duration.command.search.index=7966, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63755, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10720674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:24:24.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950180_78840', total_run_time=20.53, event_count=0, result_count=0, available_count=0, scan_count=18970631, drop_count=0, exec_time=1654950229, api_et=1654935780.000000000, api_lt=1654950180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935780.000000000, search_lt=1654950180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18970631, total_slices=1169588, decompressed_slices=364951, duration.command.search.index=7682, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63358, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10721510, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:23:23.047, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950120_78808', total_run_time=24.07, event_count=0, result_count=0, available_count=0, scan_count=18972051, drop_count=0, exec_time=1654950169, api_et=1654935720.000000000, api_lt=1654950120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935720.000000000, search_lt=1654950120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18972051, total_slices=1167937, decompressed_slices=365004, duration.command.search.index=8343, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68701, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10722552, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:22:22.983, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950060_78792', total_run_time=21.31, event_count=0, result_count=0, available_count=0, scan_count=18974832, drop_count=0, exec_time=1654950109, api_et=1654935660.000000000, api_lt=1654950060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935660.000000000, search_lt=1654950060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18974832, total_slices=1166288, decompressed_slices=365043, duration.command.search.index=8988, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65811, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10724300, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:21:23.303, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654950000_78764', total_run_time=16.78, event_count=0, result_count=0, available_count=0, scan_count=18977195, drop_count=0, exec_time=1654950049, api_et=1654935600.000000000, api_lt=1654950000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935600.000000000, search_lt=1654950000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18977195, total_slices=1164775, decompressed_slices=365157, duration.command.search.index=7202, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55260, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10726478, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:20:23.110, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949940_78740', total_run_time=19.62, event_count=0, result_count=0, available_count=0, scan_count=18982076, drop_count=0, exec_time=1654949989, api_et=1654935540.000000000, api_lt=1654949940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935540.000000000, search_lt=1654949940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18982076, total_slices=1163132, decompressed_slices=365212, duration.command.search.index=7524, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52679, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10729076, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:19:23.407, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949880_78715', total_run_time=19.58, event_count=0, result_count=0, available_count=0, scan_count=18986090, drop_count=0, exec_time=1654949929, api_et=1654935480.000000000, api_lt=1654949880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935480.000000000, search_lt=1654949880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18986090, total_slices=1161544, decompressed_slices=365305, duration.command.search.index=8012, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63642, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10732315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:18:23.193, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949820_78694', total_run_time=21.97, event_count=0, result_count=0, available_count=0, scan_count=18989549, drop_count=0, exec_time=1654949869, api_et=1654935420.000000000, api_lt=1654949820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935420.000000000, search_lt=1654949820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18989549, total_slices=1159995, decompressed_slices=365343, duration.command.search.index=7846, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57728, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10734396, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:17:23.184, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949760_78671', total_run_time=17.80, event_count=0, result_count=0, available_count=0, scan_count=18989432, drop_count=0, exec_time=1654949809, api_et=1654935360.000000000, api_lt=1654949760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935360.000000000, search_lt=1654949760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18989432, total_slices=1158416, decompressed_slices=365311, duration.command.search.index=7442, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57207, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10735362, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:16:23.210, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654949760_78665', total_run_time=9.03, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654949771, api_et=1654945560.000000000, api_lt=1654949160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654946160.000000000, search_lt=1654949773.522012000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_15635bbc1abbd93a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1030, eliminated_buckets=350, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=644, invocations.command.search.index.bucketcache.hit=1030, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:16:23.002, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949700_78654', total_run_time=28.30, event_count=0, result_count=0, available_count=0, scan_count=18989397, drop_count=0, exec_time=1654949749, api_et=1654935300.000000000, api_lt=1654949700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935300.000000000, search_lt=1654949700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18989397, total_slices=1156849, decompressed_slices=365410, duration.command.search.index=7811, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60740, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10737263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:15:23.536, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949640_78635', total_run_time=26.17, event_count=0, result_count=0, available_count=0, scan_count=18992869, drop_count=0, exec_time=1654949689, api_et=1654935240.000000000, api_lt=1654949640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935240.000000000, search_lt=1654949640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2561", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18992869, total_slices=1181417, decompressed_slices=365525, duration.command.search.index=7831, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64271, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10739304, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:14:53.305, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654949640_78622', total_run_time=6.50, event_count=0, result_count=0, available_count=0, scan_count=10289, drop_count=0, exec_time=1654949663, api_et=1654946040.000000000, api_lt=1654949640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654946040.000000000, search_lt=1654949665.505415000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=288, considered_events=10289, total_slices=766316, decompressed_slices=1773, duration.command.search.index=1437, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6326, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=84, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=20, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=29, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 12:14:12.223, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949580_78612', total_run_time=20.04, event_count=0, result_count=0, available_count=0, scan_count=18995051, drop_count=0, exec_time=1654949629, api_et=1654935180.000000000, api_lt=1654949580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935180.000000000, search_lt=1654949580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18995051, total_slices=1179847, decompressed_slices=365517, duration.command.search.index=7713, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65073, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10740531, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:13:52.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949520_78584', total_run_time=25.26, event_count=0, result_count=0, available_count=0, scan_count=18996337, drop_count=0, exec_time=1654949569, api_et=1654935120.000000000, api_lt=1654949520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935120.000000000, search_lt=1654949520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18996337, total_slices=1178175, decompressed_slices=365487, duration.command.search.index=7434, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62564, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10741484, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:12:17.893, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949460_78566', total_run_time=26.94, event_count=0, result_count=0, available_count=0, scan_count=18994643, drop_count=0, exec_time=1654949509, api_et=1654935060.000000000, api_lt=1654949460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935060.000000000, search_lt=1654949460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3189", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18994643, total_slices=1176600, decompressed_slices=365538, duration.command.search.index=7818, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61249, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10740833, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:11:47.778, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949400_78541', total_run_time=33.24, event_count=0, result_count=0, available_count=0, scan_count=18996969, drop_count=0, exec_time=1654949449, api_et=1654935000.000000000, api_lt=1654949400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935000.000000000, search_lt=1654949400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=18996969, total_slices=1175122, decompressed_slices=365641, duration.command.search.index=8197, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69019, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10742004, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:11:17.777, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654949460_78548', total_run_time=4.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654949464, api_et=1654945860.000000000, api_lt=1654949460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654945860.000000000, search_lt=1654949466.421713000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_17d9de528a91e751", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:10:35.207, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949340_78519', total_run_time=21.91, event_count=0, result_count=0, available_count=0, scan_count=19002620, drop_count=0, exec_time=1654949389, api_et=1654934940.000000000, api_lt=1654949340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934940.000000000, search_lt=1654949340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19002620, total_slices=1173459, decompressed_slices=365745, duration.command.search.index=7415, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61874, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10744674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:10:35.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949280_78503', total_run_time=22.22, event_count=0, result_count=0, available_count=0, scan_count=19007952, drop_count=0, exec_time=1654949329, api_et=1654934880.000000000, api_lt=1654949280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934880.000000000, search_lt=1654949280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19007952, total_slices=1171871, decompressed_slices=365809, duration.command.search.index=7375, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58946, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10746890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:10:35.092, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654949220_78494', total_run_time=22.65, event_count=1198, result_count=56, available_count=0, scan_count=304053, drop_count=0, exec_time=1654949284, api_et=1654945620.000000000, api_lt=1654949220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654945620.000000000, search_lt=1654949286.299181000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2924", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=198, considered_events=309795, total_slices=684429, decompressed_slices=82980, duration.command.search.index=3320, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26609, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=248597, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29212, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 12:10:35.054, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654949340_78511', total_run_time=24.43, event_count=0, result_count=0, available_count=0, scan_count=3699602, drop_count=0, exec_time=1654949345, api_et=1654945140.000000000, api_lt=1654948740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654945140.000000000, search_lt=1654948740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3101", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a61801be70f277ea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=788, eliminated_buckets=366, considered_events=3699602, total_slices=999950, decompressed_slices=167586, duration.command.search.index=1615, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28501, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=106, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:10:35.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949220_78486', total_run_time=30.85, event_count=0, result_count=0, available_count=0, scan_count=19005636, drop_count=0, exec_time=1654949269, api_et=1654934820.000000000, api_lt=1654949220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934820.000000000, search_lt=1654949220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19005636, total_slices=1170285, decompressed_slices=365742, duration.command.search.index=8404, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64839, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10746114, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:10:34.689, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654949220_78481', total_run_time=8.50, event_count=0, result_count=0, available_count=0, scan_count=4, drop_count=0, exec_time=1654949246, api_et=1654945620.000000000, api_lt=1654949220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654945620.000000000, search_lt=1654949248.437691000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a1d4b278ce8a1432", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=198, considered_events=4, total_slices=15782, decompressed_slices=4, duration.command.search.index=841, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=749, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 12:10:34.662, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654948800_78435', total_run_time=235.38, event_count=2696, result_count=2695, available_count=0, scan_count=1757201, drop_count=0, exec_time=1654949090, api_et=1654862400.000000000, api_lt=1654948800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654948800.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_cde3758ea8a0137a", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30400, eliminated_buckets=4805, considered_events=1757201, total_slices=14044310, decompressed_slices=1089788, duration.command.search.index=1193921, invocations.command.search.index.bucketcache.hit=26277, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=4172, duration.command.search.index.bucketcache.miss=574519, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=274410, invocations.command.search.rawdata.bucketcache.hit=18540, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1589, duration.command.search.rawdata.bucketcache.miss=342616, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-11-2022 12:07:30.958, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949160_78466', total_run_time=26.64, event_count=0, result_count=0, available_count=0, scan_count=19004918, drop_count=0, exec_time=1654949210, api_et=1654934760.000000000, api_lt=1654949160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934760.000000000, search_lt=1654949160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19004918, total_slices=1168764, decompressed_slices=365825, duration.command.search.index=7949, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69954, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10747478, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:06:30.695, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949100_78452', total_run_time=30.16, event_count=0, result_count=0, available_count=0, scan_count=19007564, drop_count=0, exec_time=1654949150, api_et=1654934700.000000000, api_lt=1654949100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934700.000000000, search_lt=1654949100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3112", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19007564, total_slices=1167203, decompressed_slices=365947, duration.command.search.index=8361, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66935, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10749093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:05:30.814, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654949040_78434', total_run_time=35.24, event_count=0, result_count=0, available_count=0, scan_count=19010769, drop_count=0, exec_time=1654949090, api_et=1654934640.000000000, api_lt=1654949040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934640.000000000, search_lt=1654949040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19010769, total_slices=1165577, decompressed_slices=366060, duration.command.search.index=8972, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72082, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10752440, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:04:32.022, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654948980_78391', total_run_time=37.13, event_count=0, result_count=0, available_count=0, scan_count=19012660, drop_count=0, exec_time=1654949030, api_et=1654934580.000000000, api_lt=1654948980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934580.000000000, search_lt=1654948980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19012660, total_slices=1163993, decompressed_slices=366166, duration.command.search.index=11276, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93544, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10752625, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:03:30.800, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654948920_78345', total_run_time=31.43, event_count=0, result_count=0, available_count=0, scan_count=19011467, drop_count=0, exec_time=1654948970, api_et=1654934520.000000000, api_lt=1654948920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934520.000000000, search_lt=1654948920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19011467, total_slices=1188802, decompressed_slices=366177, duration.command.search.index=9349, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80942, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10753101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:02:31.101, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654948860_78314', total_run_time=31.10, event_count=0, result_count=0, available_count=0, scan_count=19014669, drop_count=0, exec_time=1654948910, api_et=1654934460.000000000, api_lt=1654948860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934460.000000000, search_lt=1654948860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19014669, total_slices=1187184, decompressed_slices=366246, duration.command.search.index=9936, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88068, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10753878, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 12:02:00.718, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654948800_78278', total_run_time=63.18, event_count=0, result_count=103, available_count=0, scan_count=0, drop_count=0, exec_time=1654948833, api_et=1654947000.000000000, api_lt=1654948800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654947000.000000000, search_lt=1654948800.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63952", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-11-2022 12:01:31.313, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654948800_78282', total_run_time=18.02, event_count=0, result_count=0, available_count=0, scan_count=19017690, drop_count=0, exec_time=1654948850, api_et=1654934400.000000000, api_lt=1654948800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934400.000000000, search_lt=1654948800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19017690, total_slices=1185607, decompressed_slices=366338, duration.command.search.index=9280, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69667, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=10753971, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 11:44:20.588, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654947780_77992', total_run_time=31.98, event_count=0, result_count=0, available_count=0, scan_count=3273, drop_count=0, exec_time=1654947818, api_et=1654944180.000000000, api_lt=1654947780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654944180.000000000, search_lt=1654947820.333911000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2448", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_144729ca0f54ee57", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=3273, total_slices=686385, decompressed_slices=923, duration.command.search.index=1208, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4891, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 11:38:57.151, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654947180_77785', total_run_time=305.95, event_count=0, result_count=0, available_count=0, scan_count=41202545, drop_count=0, exec_time=1654947205, api_et=1654943580.000000000, api_lt=1654947180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654943580.000000000, search_lt=1654947207.333153000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3750", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_70a659b9490023b2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1817, eliminated_buckets=134, considered_events=41202545, total_slices=14289053, decompressed_slices=4159583, duration.command.search.index=16038, invocations.command.search.index.bucketcache.hit=1817, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226281, invocations.command.search.rawdata.bucketcache.hit=284, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 11:16:39.067, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654946160_77445', total_run_time=7.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654946170, api_et=1654941960.000000000, api_lt=1654945560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654942560.000000000, search_lt=1654946171.911030000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3283", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_37701bd50a3d45c0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1030, eliminated_buckets=351, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=666, invocations.command.search.index.bucketcache.hit=1030, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 11:14:39.461, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654946040_77404', total_run_time=5.87, event_count=0, result_count=0, available_count=0, scan_count=21413, drop_count=0, exec_time=1654946063, api_et=1654942440.000000000, api_lt=1654946040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654942440.000000000, search_lt=1654946064.998864000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2842", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=285, considered_events=22008, total_slices=751406, decompressed_slices=2453, duration.command.search.index=1100, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6057, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=36, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=17, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=74, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=11, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=12, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 11:11:39.007, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654945860_77338', total_run_time=5.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654945865, api_et=1654942260.000000000, api_lt=1654945860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654942260.000000000, search_lt=1654945867.379556000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3310", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f0b83d65bf0c705e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=46, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 11:09:38.943, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654945740_77305', total_run_time=21.94, event_count=0, result_count=0, available_count=0, scan_count=3811923, drop_count=0, exec_time=1654945745, api_et=1654941540.000000000, api_lt=1654945140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654941540.000000000, search_lt=1654945140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3124", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_75899299be5b0e4d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=775, eliminated_buckets=357, considered_events=3811923, total_slices=1024122, decompressed_slices=173051, duration.command.search.index=1714, invocations.command.search.index.bucketcache.hit=774, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30063, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=131, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 11:08:33.946, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654945620_77286', total_run_time=19.49, event_count=1082, result_count=57, available_count=0, scan_count=269923, drop_count=0, exec_time=1654945680, api_et=1654942020.000000000, api_lt=1654945620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654942020.000000000, search_lt=1654945682.496608000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3017", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=198, considered_events=276575, total_slices=608176, decompressed_slices=75091, duration.command.search.index=3574, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24291, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=217400, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25384, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 11:07:39.053, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654945620_77281', total_run_time=5.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654945646, api_et=1654942020.000000000, api_lt=1654945620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654942020.000000000, search_lt=1654945648.663766000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3a5635c73db673be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=756, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:44:10.297, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654944180_76813', total_run_time=30.52, event_count=0, result_count=0, available_count=0, scan_count=2952, drop_count=0, exec_time=1654944218, api_et=1654940580.000000000, api_lt=1654944180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654940580.000000000, search_lt=1654944220.624186000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_82742cdf3d14fa8c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=2952, total_slices=583294, decompressed_slices=774, duration.command.search.index=1122, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4787, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:41:16.526, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654943580_76602', total_run_time=333.95, event_count=0, result_count=0, available_count=0, scan_count=41465274, drop_count=0, exec_time=1654943605, api_et=1654939980.000000000, api_lt=1654943580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654939980.000000000, search_lt=1654943607.645566000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_97c5d51eeab70792", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1831, eliminated_buckets=134, considered_events=41465274, total_slices=14370568, decompressed_slices=4199341, duration.command.search.index=14953, invocations.command.search.index.bucketcache.hit=1828, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=231720, invocations.command.search.rawdata.bucketcache.hit=297, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:16:33.575, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654942560_76251', total_run_time=9.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654942571, api_et=1654938360.000000000, api_lt=1654941960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654938960.000000000, search_lt=1654942573.121977000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3365", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bcaaa65eb9e6c328", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1028, eliminated_buckets=351, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=641, invocations.command.search.index.bucketcache.hit=1028, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:14:33.697, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654942440_76211', total_run_time=4.44, event_count=0, result_count=0, available_count=0, scan_count=11534, drop_count=0, exec_time=1654942463, api_et=1654938840.000000000, api_lt=1654942440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654938840.000000000, search_lt=1654942465.815540000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=286, considered_events=11539, total_slices=717033, decompressed_slices=2254, duration.command.search.index=980, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5671, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=124, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=22, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=28, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 10:11:33.674, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654942260_76144', total_run_time=5.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654942265, api_et=1654938660.000000000, api_lt=1654942260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654938660.000000000, search_lt=1654942267.370307000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3081", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1dd315c7ff262b99", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:09:36.350, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654942020_76092', total_run_time=15.22, event_count=1196, result_count=58, available_count=0, scan_count=296001, drop_count=0, exec_time=1654942080, api_et=1654938420.000000000, api_lt=1654942020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654938420.000000000, search_lt=1654942082.956524000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3180", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=198, considered_events=299938, total_slices=560702, decompressed_slices=82938, duration.command.search.index=3233, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25979, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=246713, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 10:09:36.280, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654942140_76113', total_run_time=17.40, event_count=0, result_count=0, available_count=0, scan_count=3869731, drop_count=0, exec_time=1654942146, api_et=1654937940.000000000, api_lt=1654941540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654937940.000000000, search_lt=1654941540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3214", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1fae6b5a45590083", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=779, eliminated_buckets=360, considered_events=3869731, total_slices=1049126, decompressed_slices=175715, duration.command.search.index=1675, invocations.command.search.index.bucketcache.hit=779, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30062, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=155, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 10:07:37.418, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654942020_76087', total_run_time=6.99, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654942046, api_et=1654938420.000000000, api_lt=1654942020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654938420.000000000, search_lt=1654942048.845265000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_98ef637361b8c490", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=766, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:52:50.947, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654940580_75617', total_run_time=21.12, event_count=0, result_count=0, available_count=0, scan_count=3538, drop_count=0, exec_time=1654940618, api_et=1654936980.000000000, api_lt=1654940580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936980.000000000, search_lt=1654940619.796984000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2376", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c1214459a56a0746", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3538, total_slices=659737, decompressed_slices=850, duration.command.search.index=1041, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4766, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:39:19.005, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654939980_75412', total_run_time=36.12, event_count=0, result_count=0, available_count=0, scan_count=41432426, drop_count=0, exec_time=1654940006, api_et=1654936380.000000000, api_lt=1654939980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654936380.000000000, search_lt=1654940008.162504000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4202", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9fb91773ca77184a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1835, eliminated_buckets=134, considered_events=41432426, total_slices=14452407, decompressed_slices=4212240, duration.command.search.index=16450, invocations.command.search.index.bucketcache.hit=1833, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226942, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:16:44.386, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654938960_75065', total_run_time=7.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654938970, api_et=1654934760.000000000, api_lt=1654938360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935360.000000000, search_lt=1654938972.799205000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3170", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_13cee45b57908cc3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1028, eliminated_buckets=352, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=654, invocations.command.search.index.bucketcache.hit=1028, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:14:57.975, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654938840_75025', total_run_time=4.37, event_count=0, result_count=0, available_count=0, scan_count=16468, drop_count=0, exec_time=1654938863, api_et=1654935240.000000000, api_lt=1654938840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935240.000000000, search_lt=1654938865.217031000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=285, considered_events=16616, total_slices=688140, decompressed_slices=2680, duration.command.search.index=963, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5764, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=12, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=42, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 09:11:14.652, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654938660_74957', total_run_time=5.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654938664, api_et=1654935060.000000000, api_lt=1654938660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654935060.000000000, search_lt=1654938666.749908000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3271", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c397fed13af24bba", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:09:44.950, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654938420_74898', total_run_time=6.33, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654938446, api_et=1654934820.000000000, api_lt=1654938420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934820.000000000, search_lt=1654938448.467349000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7861d4adbfe729f8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=658, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:09:44.933, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654938540_74922', total_run_time=20.69, event_count=0, result_count=0, available_count=0, scan_count=3869801, drop_count=0, exec_time=1654938545, api_et=1654934340.000000000, api_lt=1654937940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934340.000000000, search_lt=1654937940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2953", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_82c76616652a9690", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=776, eliminated_buckets=352, considered_events=3869801, total_slices=1116359, decompressed_slices=173164, duration.command.search.index=1620, invocations.command.search.index.bucketcache.hit=773, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28659, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=113, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 09:09:44.456, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654938420_74903', total_run_time=22.09, event_count=1168, result_count=56, available_count=0, scan_count=297242, drop_count=0, exec_time=1654938480, api_et=1654934820.000000000, api_lt=1654938420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654934820.000000000, search_lt=1654938482.356696000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2942", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=197, considered_events=306362, total_slices=568183, decompressed_slices=85489, duration.command.search.index=2834, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=23802, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=243475, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27207, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 09:00:37.286, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937940_74705', total_run_time=13.01, event_count=0, result_count=0, available_count=0, scan_count=19549587, drop_count=0, exec_time=1654937990, api_et=1654923540.000000000, api_lt=1654937940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923540.000000000, search_lt=1654937940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19549587, total_slices=1310617, decompressed_slices=375649, duration.command.search.index=7157, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52936, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11043911, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:59:22.232, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937880_74692', total_run_time=12.32, event_count=0, result_count=0, available_count=0, scan_count=19551686, drop_count=0, exec_time=1654937929, api_et=1654923480.000000000, api_lt=1654937880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923480.000000000, search_lt=1654937880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19551686, total_slices=1309057, decompressed_slices=375727, duration.command.search.index=7048, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=50749, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11044560, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:58:22.432, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937820_74675', total_run_time=14.64, event_count=0, result_count=0, available_count=0, scan_count=19556008, drop_count=0, exec_time=1654937870, api_et=1654923420.000000000, api_lt=1654937820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923420.000000000, search_lt=1654937820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="4704", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19556008, total_slices=1307468, decompressed_slices=375878, duration.command.search.index=6663, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55898, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11045440, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:57:13.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937760_74657', total_run_time=12.38, event_count=0, result_count=0, available_count=0, scan_count=19560252, drop_count=0, exec_time=1654937809, api_et=1654923360.000000000, api_lt=1654937760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923360.000000000, search_lt=1654937760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2686", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19560252, total_slices=1305821, decompressed_slices=375991, duration.command.search.index=6603, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54108, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11048142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:56:55.680, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937700_74646', total_run_time=13.03, event_count=0, result_count=0, available_count=0, scan_count=19565452, drop_count=0, exec_time=1654937749, api_et=1654923300.000000000, api_lt=1654937700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923300.000000000, search_lt=1654937700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19565452, total_slices=1304140, decompressed_slices=376163, duration.command.search.index=6800, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52744, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11051477, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:55:22.786, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937640_74630', total_run_time=13.29, event_count=0, result_count=0, available_count=0, scan_count=19568797, drop_count=0, exec_time=1654937690, api_et=1654923240.000000000, api_lt=1654937640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923240.000000000, search_lt=1654937640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3282", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=19568797, total_slices=1302515, decompressed_slices=376373, duration.command.search.index=7016, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52099, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11053033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:54:22.734, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937580_74613', total_run_time=12.07, event_count=0, result_count=0, available_count=0, scan_count=19571579, drop_count=0, exec_time=1654937629, api_et=1654923180.000000000, api_lt=1654937580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923180.000000000, search_lt=1654937580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19571579, total_slices=1300723, decompressed_slices=376485, duration.command.search.index=6876, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51973, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11054508, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:53:23.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937280_74501', total_run_time=14.31, event_count=0, result_count=0, available_count=0, scan_count=19590843, drop_count=0, exec_time=1654937329, api_et=1654922880.000000000, api_lt=1654937280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922880.000000000, search_lt=1654937280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=1, considered_events=19590843, total_slices=1318603, decompressed_slices=376976, duration.command.search.index=7273, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54518, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11067419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:53:22.329, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937460_74570', total_run_time=13.60, event_count=0, result_count=0, available_count=0, scan_count=19580987, drop_count=0, exec_time=1654937508, api_et=1654923060.000000000, api_lt=1654937460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923060.000000000, search_lt=1654937460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2666", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19580987, total_slices=1323653, decompressed_slices=376698, duration.command.search.index=7466, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55310, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11060312, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:53:21.079, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937400_74547', total_run_time=15.50, event_count=0, result_count=0, available_count=0, scan_count=19582160, drop_count=0, exec_time=1654937450, api_et=1654923000.000000000, api_lt=1654937400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923000.000000000, search_lt=1654937400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=19582160, total_slices=1322040, decompressed_slices=376733, duration.command.search.index=7590, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57735, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11061237, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:53:20.702, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937340_74524', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=19586141, drop_count=0, exec_time=1654937389, api_et=1654922940.000000000, api_lt=1654937340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922940.000000000, search_lt=1654937340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=19586141, total_slices=1320242, decompressed_slices=376864, duration.command.search.index=7198, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53246, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11064211, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:53:19.337, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937520_74588', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=19576729, drop_count=0, exec_time=1654937569, api_et=1654923120.000000000, api_lt=1654937520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923120.000000000, search_lt=1654937520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19576729, total_slices=1325233, decompressed_slices=376632, duration.command.search.index=6913, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52992, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11057384, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:48:03.564, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937220_74484', total_run_time=12.45, event_count=0, result_count=0, available_count=0, scan_count=19594251, drop_count=0, exec_time=1654937269, api_et=1654922820.000000000, api_lt=1654937220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922820.000000000, search_lt=1654937220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=19594251, total_slices=1316923, decompressed_slices=377059, duration.command.search.index=7249, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54135, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11068322, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:47:03.510, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937160_74462', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=19600865, drop_count=0, exec_time=1654937209, api_et=1654922760.000000000, api_lt=1654937160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922760.000000000, search_lt=1654937160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2556", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19600865, total_slices=1341553, decompressed_slices=377197, duration.command.search.index=7025, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51794, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11072136, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:46:23.048, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937100_74444', total_run_time=13.55, event_count=0, result_count=0, available_count=0, scan_count=19603932, drop_count=0, exec_time=1654937150, api_et=1654922700.000000000, api_lt=1654937100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922700.000000000, search_lt=1654937100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19603932, total_slices=1339889, decompressed_slices=377190, duration.command.search.index=6879, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54554, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11074461, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:46:01.631, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936920_74371', total_run_time=13.05, event_count=0, result_count=0, available_count=0, scan_count=19615557, drop_count=0, exec_time=1654936969, api_et=1654922520.000000000, api_lt=1654936920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922520.000000000, search_lt=1654936920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19615557, total_slices=1334240, decompressed_slices=377428, duration.command.search.index=7108, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55502, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11077044, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:46:01.068, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936980_74401', total_run_time=12.72, event_count=0, result_count=0, available_count=0, scan_count=19613201, drop_count=0, exec_time=1654937029, api_et=1654922580.000000000, api_lt=1654936980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922580.000000000, search_lt=1654936980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19613201, total_slices=1336533, decompressed_slices=377304, duration.command.search.index=7007, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54666, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11077400, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:46:01.000, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936860_74348', total_run_time=12.76, event_count=0, result_count=0, available_count=0, scan_count=19620916, drop_count=0, exec_time=1654936909, api_et=1654922460.000000000, api_lt=1654936860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922460.000000000, search_lt=1654936860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19620916, total_slices=1333311, decompressed_slices=377509, duration.command.search.index=7134, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55318, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11079764, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:45:59.997, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654937040_74421', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=19609422, drop_count=0, exec_time=1654937088, api_et=1654922640.000000000, api_lt=1654937040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922640.000000000, search_lt=1654937040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2373", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19609422, total_slices=1338167, decompressed_slices=377241, duration.command.search.index=6952, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54436, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11075942, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:45:59.864, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654936980_74398', total_run_time=21.20, event_count=0, result_count=0, available_count=0, scan_count=3567, drop_count=0, exec_time=1654937018, api_et=1654933380.000000000, api_lt=1654936980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654933380.000000000, search_lt=1654937020.311830000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2520", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e6a0a2e98142427f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=3567, total_slices=728702, decompressed_slices=1038, duration.command.search.index=1027, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4808, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:41:07.897, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936800_74323', total_run_time=14.28, event_count=0, result_count=0, available_count=0, scan_count=19622349, drop_count=0, exec_time=1654936849, api_et=1654922400.000000000, api_lt=1654936800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922400.000000000, search_lt=1654936800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19622349, total_slices=1331630, decompressed_slices=377620, duration.command.search.index=7596, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56369, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11081423, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:40:07.638, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936740_74301', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=19624745, drop_count=0, exec_time=1654936789, api_et=1654922340.000000000, api_lt=1654936740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922340.000000000, search_lt=1654936740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19624745, total_slices=1330040, decompressed_slices=377706, duration.command.search.index=6883, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53177, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11082944, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:07.106, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936500_74245', total_run_time=12.89, event_count=0, result_count=0, available_count=0, scan_count=19636011, drop_count=0, exec_time=1654936550, api_et=1654922100.000000000, api_lt=1654936500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922100.000000000, search_lt=1654936500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19636011, total_slices=1323362, decompressed_slices=377960, duration.command.search.index=6951, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53339, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11090716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:06.930, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936620_74270', total_run_time=12.88, event_count=0, result_count=0, available_count=0, scan_count=19629297, drop_count=0, exec_time=1654936669, api_et=1654922220.000000000, api_lt=1654936620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922220.000000000, search_lt=1654936620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19629297, total_slices=1326553, decompressed_slices=377789, duration.command.search.index=6879, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54326, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11086804, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:05.665, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936440_74224', total_run_time=15.89, event_count=0, result_count=0, available_count=0, scan_count=19638049, drop_count=0, exec_time=1654936490, api_et=1654922040.000000000, api_lt=1654936440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922040.000000000, search_lt=1654936440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19638049, total_slices=1321726, decompressed_slices=378026, duration.command.search.index=7962, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59768, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11093093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:05.197, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654936380_74174', total_run_time=38.93, event_count=0, result_count=0, available_count=0, scan_count=41673445, drop_count=0, exec_time=1654936405, api_et=1654932780.000000000, api_lt=1654936380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654932780.000000000, search_lt=1654936406.855559000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3b4d8f93ee9bd83f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1828, eliminated_buckets=134, considered_events=41673445, total_slices=14380337, decompressed_slices=4225233, duration.command.search.index=14618, invocations.command.search.index.bucketcache.hit=1827, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230600, invocations.command.search.rawdata.bucketcache.hit=294, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:39:02.943, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936680_74285', total_run_time=12.46, event_count=0, result_count=0, available_count=0, scan_count=19626300, drop_count=0, exec_time=1654936729, api_et=1654922280.000000000, api_lt=1654936680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922280.000000000, search_lt=1654936680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19626300, total_slices=1328275, decompressed_slices=377694, duration.command.search.index=6798, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52973, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11084677, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:02.288, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936560_74255', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=19634059, drop_count=0, exec_time=1654936610, api_et=1654922160.000000000, api_lt=1654936560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922160.000000000, search_lt=1654936560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3169", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19634059, total_slices=1324582, decompressed_slices=377875, duration.command.search.index=7057, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55143, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11090306, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:39:02.139, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936380_74188', total_run_time=20.64, event_count=0, result_count=0, available_count=0, scan_count=19639309, drop_count=0, exec_time=1654936429, api_et=1654921980.000000000, api_lt=1654936380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921980.000000000, search_lt=1654936380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2557", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19639309, total_slices=1320011, decompressed_slices=378103, duration.command.search.index=10258, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86979, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11093779, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:33:21.625, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936320_74151', total_run_time=15.18, event_count=0, result_count=0, available_count=0, scan_count=19641648, drop_count=0, exec_time=1654936370, api_et=1654921920.000000000, api_lt=1654936320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921920.000000000, search_lt=1654936320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19641648, total_slices=1318373, decompressed_slices=378245, duration.command.search.index=6936, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56909, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11095674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:32:21.429, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936260_74122', total_run_time=14.90, event_count=0, result_count=0, available_count=0, scan_count=19647707, drop_count=0, exec_time=1654936309, api_et=1654921860.000000000, api_lt=1654936260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921860.000000000, search_lt=1654936260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3287", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19647707, total_slices=1316781, decompressed_slices=378287, duration.command.search.index=7087, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57708, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11101017, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:31:23.281, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936200_74094', total_run_time=14.62, event_count=0, result_count=0, available_count=0, scan_count=19651940, drop_count=0, exec_time=1654936249, api_et=1654921800.000000000, api_lt=1654936200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921800.000000000, search_lt=1654936200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19651940, total_slices=1315075, decompressed_slices=378421, duration.command.search.index=7314, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57079, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11104159, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:30:21.770, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936140_74065', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=19658186, drop_count=0, exec_time=1654936190, api_et=1654921740.000000000, api_lt=1654936140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921740.000000000, search_lt=1654936140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2548", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19658186, total_slices=1313385, decompressed_slices=378485, duration.command.search.index=6709, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56323, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11108740, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:29:34.296, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936080_74051', total_run_time=17.49, event_count=0, result_count=0, available_count=0, scan_count=19661782, drop_count=0, exec_time=1654936129, api_et=1654921680.000000000, api_lt=1654936080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921680.000000000, search_lt=1654936080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19661782, total_slices=1311707, decompressed_slices=378538, duration.command.search.index=7109, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56493, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11111433, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:28:21.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654936020_74036', total_run_time=12.93, event_count=0, result_count=0, available_count=0, scan_count=19669230, drop_count=0, exec_time=1654936069, api_et=1654921620.000000000, api_lt=1654936020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921620.000000000, search_lt=1654936020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2564", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19669230, total_slices=1309960, decompressed_slices=378631, duration.command.search.index=6972, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56161, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11114635, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:27:21.598, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935960_74018', total_run_time=12.58, event_count=0, result_count=0, available_count=0, scan_count=19678338, drop_count=0, exec_time=1654936009, api_et=1654921560.000000000, api_lt=1654935960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921560.000000000, search_lt=1654935960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2507", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19678338, total_slices=1308345, decompressed_slices=378807, duration.command.search.index=7205, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54993, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11120147, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:26:21.419, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935900_74002', total_run_time=14.34, event_count=0, result_count=0, available_count=0, scan_count=19685622, drop_count=0, exec_time=1654935949, api_et=1654921500.000000000, api_lt=1654935900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921500.000000000, search_lt=1654935900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3121", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19685622, total_slices=1306814, decompressed_slices=378926, duration.command.search.index=6913, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56139, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11125374, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:25:18.321, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935840_73989', total_run_time=14.89, event_count=0, result_count=0, available_count=0, scan_count=19690650, drop_count=0, exec_time=1654935889, api_et=1654921440.000000000, api_lt=1654935840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921440.000000000, search_lt=1654935840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2538", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19690650, total_slices=1305190, decompressed_slices=378953, duration.command.search.index=8009, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58717, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11126623, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:25:03.154, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935780_73970', total_run_time=13.74, event_count=0, result_count=0, available_count=0, scan_count=19691872, drop_count=0, exec_time=1654935829, api_et=1654921380.000000000, api_lt=1654935780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921380.000000000, search_lt=1654935780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19691872, total_slices=1303575, decompressed_slices=378976, duration.command.search.index=7394, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54421, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11129288, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:23:21.586, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935720_73936', total_run_time=14.45, event_count=0, result_count=0, available_count=0, scan_count=19696371, drop_count=0, exec_time=1654935769, api_et=1654921320.000000000, api_lt=1654935720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921320.000000000, search_lt=1654935720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19696371, total_slices=1301825, decompressed_slices=379080, duration.command.search.index=7343, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56076, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11130888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:22:07.523, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935660_73920', total_run_time=13.84, event_count=0, result_count=0, available_count=0, scan_count=19699657, drop_count=0, exec_time=1654935709, api_et=1654921260.000000000, api_lt=1654935660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921260.000000000, search_lt=1654935660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2555", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19699657, total_slices=1300229, decompressed_slices=379166, duration.command.search.index=7340, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55809, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11133060, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:21:39.967, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654935600_73893', total_run_time=15.26, event_count=11135566, result_count=15, available_count=0, scan_count=19705153, drop_count=0, exec_time=1654935657, api_et=1654921200.000000000, api_lt=1654935600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921200.000000000, search_lt=1654935600.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19705153, total_slices=1298817, decompressed_slices=379297, duration.command.search.index=8126, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61046, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11135566, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:21:38.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935540_73866', total_run_time=13.48, event_count=0, result_count=0, available_count=0, scan_count=19708596, drop_count=0, exec_time=1654935589, api_et=1654921140.000000000, api_lt=1654935540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921140.000000000, search_lt=1654935540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19708596, total_slices=1296909, decompressed_slices=379333, duration.command.search.index=7140, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52064, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11137477, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:21:38.701, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935480_73840', total_run_time=15.78, event_count=0, result_count=0, available_count=0, scan_count=19710494, drop_count=0, exec_time=1654935529, api_et=1654921080.000000000, api_lt=1654935480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921080.000000000, search_lt=1654935480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19710494, total_slices=1295326, decompressed_slices=379376, duration.command.search.index=8146, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61374, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11139291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:21:38.672, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935600_73890', total_run_time=16.25, event_count=0, result_count=0, available_count=0, scan_count=19705153, drop_count=0, exec_time=1654935649, api_et=1654921200.000000000, api_lt=1654935600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921200.000000000, search_lt=1654935600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19705153, total_slices=1298592, decompressed_slices=379296, duration.command.search.index=8215, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59475, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11135566, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:18:05.191, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935420_73819', total_run_time=14.68, event_count=0, result_count=0, available_count=0, scan_count=19711281, drop_count=0, exec_time=1654935469, api_et=1654921020.000000000, api_lt=1654935420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921020.000000000, search_lt=1654935420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19711281, total_slices=1293582, decompressed_slices=379488, duration.command.search.index=7332, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55470, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11138806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:17:05.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935360_73794', total_run_time=13.15, event_count=0, result_count=0, available_count=0, scan_count=19716452, drop_count=0, exec_time=1654935409, api_et=1654920960.000000000, api_lt=1654935360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920960.000000000, search_lt=1654935360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2549", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19716452, total_slices=1291958, decompressed_slices=379610, duration.command.search.index=7168, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55551, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11143101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:16:35.424, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654935360_73788', total_run_time=9.14, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654935370, api_et=1654931160.000000000, api_lt=1654934760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654931760.000000000, search_lt=1654935373.268106000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3962", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_117ecadf3da27c47", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1028, eliminated_buckets=352, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1028, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:16:05.179, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935300_73777', total_run_time=13.57, event_count=0, result_count=0, available_count=0, scan_count=19723558, drop_count=0, exec_time=1654935349, api_et=1654920900.000000000, api_lt=1654935300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920900.000000000, search_lt=1654935300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19723558, total_slices=1290387, decompressed_slices=379740, duration.command.search.index=7329, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55499, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11146574, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:15:05.480, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935240_73758', total_run_time=12.44, event_count=0, result_count=0, available_count=0, scan_count=19727854, drop_count=0, exec_time=1654935290, api_et=1654920840.000000000, api_lt=1654935240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920840.000000000, search_lt=1654935240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19727854, total_slices=1288700, decompressed_slices=379832, duration.command.search.index=6738, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52537, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11147891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:14:35.145, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654935240_73745', total_run_time=4.39, event_count=0, result_count=0, available_count=0, scan_count=10502, drop_count=0, exec_time=1654935263, api_et=1654931640.000000000, api_lt=1654935240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654931640.000000000, search_lt=1654935265.109291000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=285, considered_events=10502, total_slices=701010, decompressed_slices=1791, duration.command.search.index=899, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5516, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=113, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=25, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=23, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 08:14:05.471, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935180_73735', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=19731444, drop_count=0, exec_time=1654935229, api_et=1654920780.000000000, api_lt=1654935180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920780.000000000, search_lt=1654935180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19731444, total_slices=1313052, decompressed_slices=379902, duration.command.search.index=6927, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55023, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11149612, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:13:05.269, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935120_73708', total_run_time=12.35, event_count=0, result_count=0, available_count=0, scan_count=19736147, drop_count=0, exec_time=1654935169, api_et=1654920720.000000000, api_lt=1654935120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920720.000000000, search_lt=1654935120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19736147, total_slices=1311425, decompressed_slices=380046, duration.command.search.index=7059, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54416, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11152400, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:12:05.199, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935060_73690', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=19745050, drop_count=0, exec_time=1654935109, api_et=1654920660.000000000, api_lt=1654935060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920660.000000000, search_lt=1654935060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3133", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19745050, total_slices=1309883, decompressed_slices=380149, duration.command.search.index=7049, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53410, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11158719, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:11:35.309, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654935060_73672', total_run_time=5.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654935065, api_et=1654931460.000000000, api_lt=1654935060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654931460.000000000, search_lt=1654935067.816463000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3306", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c219a66524796e80", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=45, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:11:05.133, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654935000_73664', total_run_time=12.36, event_count=0, result_count=0, available_count=0, scan_count=19751425, drop_count=0, exec_time=1654935049, api_et=1654920600.000000000, api_lt=1654935000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920600.000000000, search_lt=1654935000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2571", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19751425, total_slices=1308269, decompressed_slices=380142, duration.command.search.index=6949, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53179, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11162798, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:10:32.452, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934880_73629', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=19757148, drop_count=0, exec_time=1654934930, api_et=1654920480.000000000, api_lt=1654934880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920480.000000000, search_lt=1654934880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2522", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19757148, total_slices=1304859, decompressed_slices=380109, duration.command.search.index=7348, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55966, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11168530, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:10:32.236, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654934940_73638', total_run_time=24.71, event_count=0, result_count=0, available_count=0, scan_count=3736713, drop_count=0, exec_time=1654934946, api_et=1654930740.000000000, api_lt=1654934340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654930740.000000000, search_lt=1654934340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3092", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cfd3a8156c7ce675", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=372, considered_events=3736713, total_slices=1128279, decompressed_slices=166855, duration.command.search.index=1594, invocations.command.search.index.bucketcache.hit=796, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28537, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=91, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:10:31.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934940_73645', total_run_time=12.67, event_count=0, result_count=0, available_count=0, scan_count=19755076, drop_count=0, exec_time=1654934989, api_et=1654920540.000000000, api_lt=1654934940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920540.000000000, search_lt=1654934940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3071", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19755076, total_slices=1306572, decompressed_slices=380130, duration.command.search.index=7132, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53066, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11165612, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:08:32.986, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654934820_73615', total_run_time=23.31, event_count=1232, result_count=56, available_count=0, scan_count=315795, drop_count=0, exec_time=1654934880, api_et=1654931220.000000000, api_lt=1654934820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654931220.000000000, search_lt=1654934882.669991000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3246", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=196, considered_events=319927, total_slices=513288, decompressed_slices=90166, duration.command.search.index=3034, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25116, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=262857, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 08:08:03.228, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934820_73612', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=19763766, drop_count=0, exec_time=1654934869, api_et=1654920420.000000000, api_lt=1654934820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920420.000000000, search_lt=1654934820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19763766, total_slices=1303169, decompressed_slices=380142, duration.command.search.index=7484, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54629, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11173181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:07:33.097, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934760_73590', total_run_time=14.96, event_count=0, result_count=0, available_count=0, scan_count=19769070, drop_count=0, exec_time=1654934810, api_et=1654920360.000000000, api_lt=1654934760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920360.000000000, search_lt=1654934760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=19769070, total_slices=1301543, decompressed_slices=380056, duration.command.search.index=7201, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56646, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11175154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:07:33.092, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654934820_73607', total_run_time=5.11, event_count=0, result_count=0, available_count=0, scan_count=4, drop_count=0, exec_time=1654934846, api_et=1654931220.000000000, api_lt=1654934820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654931220.000000000, search_lt=1654934848.184974000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3b76ae0c5c46f289", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=196, considered_events=4, total_slices=19025, decompressed_slices=4, duration.command.search.index=629, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=532, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 08:06:19.149, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934700_73576', total_run_time=14.88, event_count=0, result_count=0, available_count=0, scan_count=19773983, drop_count=0, exec_time=1654934749, api_et=1654920300.000000000, api_lt=1654934700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920300.000000000, search_lt=1654934700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=19773983, total_slices=1299887, decompressed_slices=380003, duration.command.search.index=7858, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57098, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176272, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:05:51.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934640_73559', total_run_time=13.23, event_count=0, result_count=0, available_count=0, scan_count=19777301, drop_count=0, exec_time=1654934690, api_et=1654920240.000000000, api_lt=1654934640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920240.000000000, search_lt=1654934640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=19777301, total_slices=1298259, decompressed_slices=379895, duration.command.search.index=7684, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58758, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11177476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:05:50.724, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934580_73517', total_run_time=15.99, event_count=0, result_count=0, available_count=0, scan_count=19779050, drop_count=0, exec_time=1654934629, api_et=1654920180.000000000, api_lt=1654934580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920180.000000000, search_lt=1654934580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2558", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19779050, total_slices=1296564, decompressed_slices=379857, duration.command.search.index=8929, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69294, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11179384, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:03:10.495, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934520_73470', total_run_time=16.80, event_count=0, result_count=0, available_count=0, scan_count=19781994, drop_count=0, exec_time=1654934569, api_et=1654920120.000000000, api_lt=1654934520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920120.000000000, search_lt=1654934520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19781994, total_slices=1294831, decompressed_slices=379842, duration.command.search.index=10075, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71565, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11179491, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:02:10.653, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934460_73439', total_run_time=16.09, event_count=0, result_count=0, available_count=0, scan_count=19784642, drop_count=0, exec_time=1654934509, api_et=1654920060.000000000, api_lt=1654934460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920060.000000000, search_lt=1654934460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19784642, total_slices=1293218, decompressed_slices=379809, duration.command.search.index=9241, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72120, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11181201, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 08:01:40.667, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654934400_73409', total_run_time=29.70, event_count=0, result_count=0, available_count=0, scan_count=19786512, drop_count=0, exec_time=1654934449, api_et=1654920000.000000000, api_lt=1654934400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920000.000000000, search_lt=1654934400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=19786512, total_slices=1291676, decompressed_slices=379670, duration.command.search.index=10494, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95233, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11181114, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 07:44:26.979, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654933380_73123', total_run_time=21.18, event_count=0, result_count=0, available_count=0, scan_count=3565, drop_count=0, exec_time=1654933418, api_et=1654929780.000000000, api_lt=1654933380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654929780.000000000, search_lt=1654933419.867365000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5e90abc4ad28f10e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=1, considered_events=3565, total_slices=848859, decompressed_slices=976, duration.command.search.index=1073, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4887, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 07:37:21.739, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654932780_72920', total_run_time=35.89, event_count=0, result_count=0, available_count=0, scan_count=41873957, drop_count=0, exec_time=1654932806, api_et=1654929180.000000000, api_lt=1654932780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654929180.000000000, search_lt=1654932808.208744000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a1250338031811db", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1826, eliminated_buckets=134, considered_events=41873957, total_slices=14319406, decompressed_slices=4237911, duration.command.search.index=14713, invocations.command.search.index.bucketcache.hit=1823, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228739, invocations.command.search.rawdata.bucketcache.hit=290, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 07:16:22.653, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654931760_72579', total_run_time=8.61, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654931770, api_et=1654927560.000000000, api_lt=1654931160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654928160.000000000, search_lt=1654931772.401376000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3267", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1c17c6db46684e24", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1033, eliminated_buckets=353, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=685, invocations.command.search.index.bucketcache.hit=1033, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 07:14:52.977, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654931640_72539', total_run_time=4.46, event_count=0, result_count=0, available_count=0, scan_count=11736, drop_count=0, exec_time=1654931663, api_et=1654928040.000000000, api_lt=1654931640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654928040.000000000, search_lt=1654931665.858016000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2886", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=286, considered_events=11736, total_slices=648131, decompressed_slices=1968, duration.command.search.index=837, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5518, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=26, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=22, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=67, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=15, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=24, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 07:11:22.810, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654931460_72473', total_run_time=5.20, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654931464, api_et=1654927860.000000000, api_lt=1654931460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654927860.000000000, search_lt=1654931466.850775000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3072", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bed37126c3984e98", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 07:09:52.760, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654931340_72442', total_run_time=19.79, event_count=0, result_count=0, available_count=0, scan_count=4090386, drop_count=0, exec_time=1654931345, api_et=1654927140.000000000, api_lt=1654930740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654927140.000000000, search_lt=1654930740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5efa8433e01742a8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=770, eliminated_buckets=353, considered_events=4090386, total_slices=1140231, decompressed_slices=177359, duration.command.search.index=1746, invocations.command.search.index.bucketcache.hit=769, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31727, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=100, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 07:08:22.673, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654931220_72424', total_run_time=21.50, event_count=1148, result_count=56, available_count=0, scan_count=292624, drop_count=0, exec_time=1654931279, api_et=1654927620.000000000, api_lt=1654931220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654927620.000000000, search_lt=1654931281.580805000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2411", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=195, considered_events=301322, total_slices=503186, decompressed_slices=94669, duration.command.search.index=2964, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24122, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=239020, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=25875, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 07:07:52.832, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654931220_72419', total_run_time=5.45, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654931246, api_et=1654927620.000000000, api_lt=1654931220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654927620.000000000, search_lt=1654931248.404900000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0d7e00549d7e5f87", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=195, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=734, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:44:56.080, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654929780_71947', total_run_time=21.34, event_count=0, result_count=0, available_count=0, scan_count=2962, drop_count=0, exec_time=1654929819, api_et=1654926180.000000000, api_lt=1654929780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654926180.000000000, search_lt=1654929821.021298000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2996", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_19f646111900b867", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=2, considered_events=2962, total_slices=784834, decompressed_slices=969, duration.command.search.index=1111, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4515, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:37:27.626, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654929180_71737', total_run_time=60.37, event_count=0, result_count=0, available_count=0, scan_count=41411204, drop_count=0, exec_time=1654929205, api_et=1654925580.000000000, api_lt=1654929180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654925580.000000000, search_lt=1654929207.534288000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_01569757d6b1b63e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1829, eliminated_buckets=134, considered_events=41411204, total_slices=14379500, decompressed_slices=4206404, duration.command.search.index=15554, invocations.command.search.index.bucketcache.hit=1826, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=266109, invocations.command.search.rawdata.bucketcache.hit=295, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:16:28.211, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654928160_71386', total_run_time=7.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654928171, api_et=1654923960.000000000, api_lt=1654927560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654924560.000000000, search_lt=1654928172.937058000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3246", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_635c9b5080a95ca1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1031, eliminated_buckets=355, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=631, invocations.command.search.index.bucketcache.hit=1031, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:15:15.692, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654928040_71346', total_run_time=6.16, event_count=0, result_count=0, available_count=0, scan_count=18205, drop_count=0, exec_time=1654928063, api_et=1654924440.000000000, api_lt=1654928040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654924440.000000000, search_lt=1654928065.363672000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=286, considered_events=18546, total_slices=619461, decompressed_slices=2915, duration.command.search.index=1017, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5877, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=130, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=28, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=26, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 06:11:15.884, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654927860_71278', total_run_time=4.78, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654927864, api_et=1654924260.000000000, api_lt=1654927860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654924260.000000000, search_lt=1654927865.780731000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2283", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_32c3d00ecfcc337a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:09:41.099, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654927740_71245', total_run_time=23.77, event_count=0, result_count=0, available_count=0, scan_count=3906501, drop_count=0, exec_time=1654927746, api_et=1654923540.000000000, api_lt=1654927140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654923540.000000000, search_lt=1654927140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3111", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cb4fd1917da3b969", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=360, considered_events=3906501, total_slices=1178463, decompressed_slices=175100, duration.command.search.index=1602, invocations.command.search.index.bucketcache.hit=784, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28928, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=83, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 06:08:44.655, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654927620_71225', total_run_time=16.10, event_count=1076, result_count=56, available_count=0, scan_count=279286, drop_count=0, exec_time=1654927680, api_et=1654924020.000000000, api_lt=1654927620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654924020.000000000, search_lt=1654927682.527764000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2984", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=284981, total_slices=479094, decompressed_slices=78934, duration.command.search.index=2775, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=22196, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=230954, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=24197, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 06:07:45.194, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654927620_71220', total_run_time=5.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654927646, api_et=1654924020.000000000, api_lt=1654927620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654924020.000000000, search_lt=1654927648.777549000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2869", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_38937afb44cf3cee", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=639, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:45:23.945, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654926180_70753', total_run_time=20.77, event_count=0, result_count=0, available_count=0, scan_count=5003, drop_count=0, exec_time=1654926218, api_et=1654922580.000000000, api_lt=1654926180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654922580.000000000, search_lt=1654926220.946225000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2950", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aad777641717780f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=5003, total_slices=936339, decompressed_slices=1828, duration.command.search.index=1007, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4913, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:37:33.586, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654925580_70550', total_run_time=38.18, event_count=0, result_count=0, available_count=0, scan_count=41724828, drop_count=0, exec_time=1654925606, api_et=1654921980.000000000, api_lt=1654925580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654921980.000000000, search_lt=1654925608.146164000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3995", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b90eab43333de74a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1841, eliminated_buckets=134, considered_events=41724828, total_slices=14442128, decompressed_slices=4227105, duration.command.search.index=14602, invocations.command.search.index.bucketcache.hit=1841, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228217, invocations.command.search.rawdata.bucketcache.hit=299, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:16:28.375, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654924560_70211', total_run_time=7.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654924570, api_et=1654920360.000000000, api_lt=1654923960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920960.000000000, search_lt=1654924572.498658000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3160", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_29e0e35339125510", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1036, eliminated_buckets=356, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=621, invocations.command.search.index.bucketcache.hit=1036, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:15:17.726, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654924440_70170', total_run_time=10.65, event_count=0, result_count=0, available_count=0, scan_count=11481, drop_count=0, exec_time=1654924464, api_et=1654920840.000000000, api_lt=1654924440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920840.000000000, search_lt=1654924465.941253000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2890", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=287, considered_events=11481, total_slices=559677, decompressed_slices=2330, duration.command.search.index=1074, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6944, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=31, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=33, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=87, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=19, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=28, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 05:11:28.386, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654924260_70104', total_run_time=5.20, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654924264, api_et=1654920660.000000000, api_lt=1654924260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920660.000000000, search_lt=1654924266.770149000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3173", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_328b344ba43ce685", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=60, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:09:58.263, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654924140_70072', total_run_time=36.50, event_count=0, result_count=0, available_count=0, scan_count=3979285, drop_count=0, exec_time=1654924146, api_et=1654919940.000000000, api_lt=1654923540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654919940.000000000, search_lt=1654923540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3153", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_27ab7466096851e0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=358, considered_events=3979285, total_slices=1189994, decompressed_slices=176458, duration.command.search.index=2235, invocations.command.search.index.bucketcache.hit=783, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47919, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=88, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:08:28.343, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654924020_70054', total_run_time=25.21, event_count=1079, result_count=56, available_count=0, scan_count=280252, drop_count=0, exec_time=1654924080, api_et=1654920420.000000000, api_lt=1654924020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920420.000000000, search_lt=1654924082.486665000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3017", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=288211, total_slices=529951, decompressed_slices=72967, duration.command.search.index=8081, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81570, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=230906, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=24269, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 05:07:58.144, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654924020_70048', total_run_time=13.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654924046, api_et=1654920420.000000000, api_lt=1654924020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654920420.000000000, search_lt=1654924048.297864000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aa8ab8d4c0cc1c8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1917, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 05:00:26.233, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923540_69853', total_run_time=15.14, event_count=0, result_count=0, available_count=0, scan_count=20259450, drop_count=0, exec_time=1654923590, api_et=1654909140.000000000, api_lt=1654923540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909140.000000000, search_lt=1654923540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20259450, total_slices=1478917, decompressed_slices=376727, duration.command.search.index=6685, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57096, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11186263, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:59:25.962, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923480_69840', total_run_time=13.15, event_count=0, result_count=0, available_count=0, scan_count=20265826, drop_count=0, exec_time=1654923529, api_et=1654909080.000000000, api_lt=1654923480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909080.000000000, search_lt=1654923480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3154", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20265826, total_slices=1477107, decompressed_slices=376803, duration.command.search.index=6928, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52226, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11187367, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:58:26.264, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923420_69824', total_run_time=12.62, event_count=0, result_count=0, available_count=0, scan_count=20274546, drop_count=0, exec_time=1654923469, api_et=1654909020.000000000, api_lt=1654923420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909020.000000000, search_lt=1654923420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2570", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20274546, total_slices=1475330, decompressed_slices=376796, duration.command.search.index=6848, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56362, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11189702, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:57:26.246, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923360_69807', total_run_time=13.02, event_count=0, result_count=0, available_count=0, scan_count=20282455, drop_count=0, exec_time=1654923409, api_et=1654908960.000000000, api_lt=1654923360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908960.000000000, search_lt=1654923360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20282455, total_slices=1473342, decompressed_slices=376722, duration.command.search.index=6881, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54649, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:56:11.374, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923300_69796', total_run_time=13.40, event_count=0, result_count=0, available_count=0, scan_count=20286632, drop_count=0, exec_time=1654923349, api_et=1654908900.000000000, api_lt=1654923300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908900.000000000, search_lt=1654923300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20286632, total_slices=1471741, decompressed_slices=376634, duration.command.search.index=7164, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53211, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11188961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:55:42.072, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923180_69764', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=20299033, drop_count=0, exec_time=1654923229, api_et=1654908780.000000000, api_lt=1654923180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908780.000000000, search_lt=1654923180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20299033, total_slices=1493976, decompressed_slices=376483, duration.command.search.index=7264, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52580, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11189033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:55:41.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923240_69780', total_run_time=12.63, event_count=0, result_count=0, available_count=0, scan_count=20292024, drop_count=0, exec_time=1654923289, api_et=1654908840.000000000, api_lt=1654923240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908840.000000000, search_lt=1654923240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20292024, total_slices=1469827, decompressed_slices=376472, duration.command.search.index=7252, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52493, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11188659, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:53:09.105, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923120_69740', total_run_time=12.79, event_count=0, result_count=0, available_count=0, scan_count=20305190, drop_count=0, exec_time=1654923169, api_et=1654908720.000000000, api_lt=1654923120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908720.000000000, search_lt=1654923120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=20305190, total_slices=1492156, decompressed_slices=376416, duration.command.search.index=7557, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53612, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11188731, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:52:09.168, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923060_69723', total_run_time=12.75, event_count=0, result_count=0, available_count=0, scan_count=20312081, drop_count=0, exec_time=1654923109, api_et=1654908660.000000000, api_lt=1654923060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908660.000000000, search_lt=1654923060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=20312081, total_slices=1490398, decompressed_slices=376402, duration.command.search.index=7466, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53398, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11188665, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:51:09.363, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654923000_69699', total_run_time=16.52, event_count=0, result_count=0, available_count=0, scan_count=20316529, drop_count=0, exec_time=1654923049, api_et=1654908600.000000000, api_lt=1654923000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908600.000000000, search_lt=1654923000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2594", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=20316529, total_slices=1488692, decompressed_slices=376374, duration.command.search.index=8758, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63099, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11187285, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:50:09.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922940_69675', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=20323611, drop_count=0, exec_time=1654922990, api_et=1654908540.000000000, api_lt=1654922940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908540.000000000, search_lt=1654922940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20323611, total_slices=1486953, decompressed_slices=376319, duration.command.search.index=7051, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55777, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11186682, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:49:13.291, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922880_69654', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=20330365, drop_count=0, exec_time=1654922929, api_et=1654908480.000000000, api_lt=1654922880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908480.000000000, search_lt=1654922880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20330365, total_slices=1485081, decompressed_slices=376229, duration.command.search.index=7699, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55268, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11186439, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:48:10.552, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922820_69637', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=20340387, drop_count=0, exec_time=1654922870, api_et=1654908420.000000000, api_lt=1654922820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908420.000000000, search_lt=1654922820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20340387, total_slices=1483268, decompressed_slices=376245, duration.command.search.index=7063, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53937, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190967, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:47:09.160, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922760_69616', total_run_time=13.47, event_count=0, result_count=0, available_count=0, scan_count=20345441, drop_count=0, exec_time=1654922809, api_et=1654908360.000000000, api_lt=1654922760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908360.000000000, search_lt=1654922760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2894", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20345441, total_slices=1481543, decompressed_slices=376308, duration.command.search.index=7229, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53318, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11191631, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:46:09.029, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922700_69598', total_run_time=13.10, event_count=0, result_count=0, available_count=0, scan_count=20350517, drop_count=0, exec_time=1654922749, api_et=1654908300.000000000, api_lt=1654922700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908300.000000000, search_lt=1654922700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2554", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20350517, total_slices=1479795, decompressed_slices=376310, duration.command.search.index=6946, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55302, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11192088, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:45:08.461, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922640_69574', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=20350947, drop_count=0, exec_time=1654922689, api_et=1654908240.000000000, api_lt=1654922640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908240.000000000, search_lt=1654922640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20350947, total_slices=1478019, decompressed_slices=376241, duration.command.search.index=7087, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52623, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11189757, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:44:53.070, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654922580_69551', total_run_time=21.20, event_count=0, result_count=0, available_count=0, scan_count=4082, drop_count=0, exec_time=1654922618, api_et=1654918980.000000000, api_lt=1654922580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654918980.000000000, search_lt=1654922620.415971000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2791", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a15ef29630248c7f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=4082, total_slices=889346, decompressed_slices=1742, duration.command.search.index=1042, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4928, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:44:52.524, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922580_69554', total_run_time=12.60, event_count=0, result_count=0, available_count=0, scan_count=20355889, drop_count=0, exec_time=1654922629, api_et=1654908180.000000000, api_lt=1654922580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908180.000000000, search_lt=1654922580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20355889, total_slices=1476225, decompressed_slices=376233, duration.command.search.index=7450, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53640, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11189980, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:43:08.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922520_69526', total_run_time=13.68, event_count=0, result_count=0, available_count=0, scan_count=20361702, drop_count=0, exec_time=1654922569, api_et=1654908120.000000000, api_lt=1654922520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908120.000000000, search_lt=1654922520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20361702, total_slices=1474461, decompressed_slices=376259, duration.command.search.index=7632, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57166, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190927, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:42:09.156, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922460_69503', total_run_time=12.39, event_count=0, result_count=0, available_count=0, scan_count=20368864, drop_count=0, exec_time=1654922510, api_et=1654908060.000000000, api_lt=1654922460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908060.000000000, search_lt=1654922460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2562", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20368864, total_slices=1472738, decompressed_slices=376168, duration.command.search.index=7433, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55230, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11191018, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:41:08.958, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922400_69478', total_run_time=16.23, event_count=0, result_count=0, available_count=0, scan_count=20375261, drop_count=0, exec_time=1654922449, api_et=1654908000.000000000, api_lt=1654922400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908000.000000000, search_lt=1654922400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20375261, total_slices=1471041, decompressed_slices=376172, duration.command.search.index=8481, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61177, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190829, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:40:09.153, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922340_69455', total_run_time=13.39, event_count=0, result_count=0, available_count=0, scan_count=20381766, drop_count=0, exec_time=1654922390, api_et=1654907940.000000000, api_lt=1654922340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907940.000000000, search_lt=1654922340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20381766, total_slices=1469151, decompressed_slices=376178, duration.command.search.index=7141, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52920, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190084, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:39:35.171, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922280_69438', total_run_time=12.42, event_count=0, result_count=0, available_count=0, scan_count=20389460, drop_count=0, exec_time=1654922329, api_et=1654907880.000000000, api_lt=1654922280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907880.000000000, search_lt=1654922280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20389460, total_slices=1467195, decompressed_slices=376221, duration.command.search.index=7489, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53994, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:38:08.994, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922220_69424', total_run_time=12.72, event_count=0, result_count=0, available_count=0, scan_count=20398544, drop_count=0, exec_time=1654922270, api_et=1654907820.000000000, api_lt=1654922220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907820.000000000, search_lt=1654922220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20398544, total_slices=1465507, decompressed_slices=376281, duration.command.search.index=7035, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55513, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11190128, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:37:10.848, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922160_69409', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=20406548, drop_count=0, exec_time=1654922210, api_et=1654907760.000000000, api_lt=1654922160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907760.000000000, search_lt=1654922160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20406548, total_slices=1463870, decompressed_slices=376255, duration.command.search.index=7129, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53520, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11189949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:36:08.825, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922100_69399', total_run_time=12.14, event_count=0, result_count=0, available_count=0, scan_count=20411104, drop_count=0, exec_time=1654922150, api_et=1654907700.000000000, api_lt=1654922100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907700.000000000, search_lt=1654922100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20411104, total_slices=1462143, decompressed_slices=376305, duration.command.search.index=7097, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52798, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11188354, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:35:08.775, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654922040_69376', total_run_time=13.13, event_count=0, result_count=0, available_count=0, scan_count=20418909, drop_count=0, exec_time=1654922089, api_et=1654907640.000000000, api_lt=1654922040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907640.000000000, search_lt=1654922040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20418909, total_slices=1460381, decompressed_slices=376342, duration.command.search.index=7460, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55821, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11186103, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:34:09.364, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921980_69341', total_run_time=15.83, event_count=0, result_count=0, available_count=0, scan_count=20424790, drop_count=0, exec_time=1654922029, api_et=1654907580.000000000, api_lt=1654921980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907580.000000000, search_lt=1654921980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20424790, total_slices=1458683, decompressed_slices=376319, duration.command.search.index=8232, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64495, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11184703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:34:08.987, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654921980_69329', total_run_time=36.28, event_count=0, result_count=0, available_count=0, scan_count=42008653, drop_count=0, exec_time=1654922006, api_et=1654918380.000000000, api_lt=1654921980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654918380.000000000, search_lt=1654922008.250986000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ee0fc1b72d6f632c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1837, eliminated_buckets=134, considered_events=42008653, total_slices=14342914, decompressed_slices=4282142, duration.command.search.index=16389, invocations.command.search.index.bucketcache.hit=1836, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230169, invocations.command.search.rawdata.bucketcache.hit=298, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:33:08.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921920_69304', total_run_time=16.49, event_count=0, result_count=0, available_count=0, scan_count=20434143, drop_count=0, exec_time=1654921969, api_et=1654907520.000000000, api_lt=1654921920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907520.000000000, search_lt=1654921920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3222", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20434143, total_slices=1456919, decompressed_slices=376336, duration.command.search.index=8061, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60360, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11185370, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:32:09.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921860_69275', total_run_time=14.34, event_count=0, result_count=0, available_count=0, scan_count=20444217, drop_count=0, exec_time=1654921909, api_et=1654907460.000000000, api_lt=1654921860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907460.000000000, search_lt=1654921860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3090", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20444217, total_slices=1454863, decompressed_slices=376381, duration.command.search.index=7748, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58155, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11185547, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:31:39.815, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921800_69246', total_run_time=20.38, event_count=0, result_count=0, available_count=0, scan_count=20450000, drop_count=0, exec_time=1654921849, api_et=1654907400.000000000, api_lt=1654921800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907400.000000000, search_lt=1654921800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2717", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20450000, total_slices=1453476, decompressed_slices=376402, duration.command.search.index=10173, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75266, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11182860, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:30:09.181, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921740_69215', total_run_time=12.63, event_count=0, result_count=0, available_count=0, scan_count=20454677, drop_count=0, exec_time=1654921789, api_et=1654907340.000000000, api_lt=1654921740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907340.000000000, search_lt=1654921740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20454677, total_slices=1451671, decompressed_slices=376474, duration.command.search.index=6885, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55842, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11179319, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:29:23.421, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921680_69202', total_run_time=12.23, event_count=0, result_count=0, available_count=0, scan_count=20459847, drop_count=0, exec_time=1654921729, api_et=1654907280.000000000, api_lt=1654921680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907280.000000000, search_lt=1654921680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20459847, total_slices=1449902, decompressed_slices=376528, duration.command.search.index=7172, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53985, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11177723, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:28:08.983, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921620_69187', total_run_time=12.75, event_count=0, result_count=0, available_count=0, scan_count=20465224, drop_count=0, exec_time=1654921670, api_et=1654907220.000000000, api_lt=1654921620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907220.000000000, search_lt=1654921620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=20465224, total_slices=1448179, decompressed_slices=376498, duration.command.search.index=7084, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55861, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11177181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:27:08.838, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921560_69169', total_run_time=12.08, event_count=0, result_count=0, available_count=0, scan_count=20470683, drop_count=0, exec_time=1654921610, api_et=1654907160.000000000, api_lt=1654921560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907160.000000000, search_lt=1654921560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20470683, total_slices=1472496, decompressed_slices=376420, duration.command.search.index=6957, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53901, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11174483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:26:08.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921500_69153', total_run_time=13.42, event_count=0, result_count=0, available_count=0, scan_count=20478092, drop_count=0, exec_time=1654921549, api_et=1654907100.000000000, api_lt=1654921500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907100.000000000, search_lt=1654921500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20478092, total_slices=1496722, decompressed_slices=376322, duration.command.search.index=7028, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53461, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11173038, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:25:10.668, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921440_69139', total_run_time=12.98, event_count=0, result_count=0, available_count=0, scan_count=20487619, drop_count=0, exec_time=1654921489, api_et=1654907040.000000000, api_lt=1654921440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907040.000000000, search_lt=1654921440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20487619, total_slices=1494970, decompressed_slices=376393, duration.command.search.index=7422, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52625, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11173440, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:25:10.482, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921380_69120', total_run_time=13.71, event_count=0, result_count=0, available_count=0, scan_count=20497163, drop_count=0, exec_time=1654921429, api_et=1654906980.000000000, api_lt=1654921380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906980.000000000, search_lt=1654921380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20497163, total_slices=1493124, decompressed_slices=376484, duration.command.search.index=7243, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53399, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11173019, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:23:07.550, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921320_69087', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=20506193, drop_count=0, exec_time=1654921369, api_et=1654906920.000000000, api_lt=1654921320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906920.000000000, search_lt=1654921320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3282", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20506193, total_slices=1491430, decompressed_slices=376538, duration.command.search.index=7293, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56252, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11174072, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:22:05.527, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921260_69070', total_run_time=13.46, event_count=0, result_count=0, available_count=0, scan_count=20518364, drop_count=0, exec_time=1654921309, api_et=1654906860.000000000, api_lt=1654921260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906860.000000000, search_lt=1654921260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20518364, total_slices=1489748, decompressed_slices=376465, duration.command.search.index=7613, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55647, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176302, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:21:30.955, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921200_69042', total_run_time=15.44, event_count=0, result_count=0, available_count=0, scan_count=20524929, drop_count=0, exec_time=1654921249, api_et=1654906800.000000000, api_lt=1654921200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906800.000000000, search_lt=1654921200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20524929, total_slices=1514110, decompressed_slices=376582, duration.command.search.index=8361, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58951, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:21:30.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921080_68993', total_run_time=14.46, event_count=0, result_count=0, available_count=0, scan_count=20542401, drop_count=0, exec_time=1654921129, api_et=1654906680.000000000, api_lt=1654921080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906680.000000000, search_lt=1654921080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20542401, total_slices=1510614, decompressed_slices=376652, duration.command.search.index=8298, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61260, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11175464, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:21:30.150, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921140_69019', total_run_time=13.04, event_count=0, result_count=0, available_count=0, scan_count=20533079, drop_count=0, exec_time=1654921189, api_et=1654906740.000000000, api_lt=1654921140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906740.000000000, search_lt=1654921140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20533079, total_slices=1512363, decompressed_slices=376591, duration.command.search.index=7646, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53407, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11175894, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:18:08.465, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654921020_68972', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=20553512, drop_count=0, exec_time=1654921070, api_et=1654906620.000000000, api_lt=1654921020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906620.000000000, search_lt=1654921020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20553512, total_slices=1508824, decompressed_slices=376670, duration.command.search.index=7495, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55895, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11177231, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:17:08.799, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920960_68949', total_run_time=13.52, event_count=0, result_count=0, available_count=0, scan_count=20564434, drop_count=0, exec_time=1654921009, api_et=1654906560.000000000, api_lt=1654920960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906560.000000000, search_lt=1654920960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2564", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20564434, total_slices=1507166, decompressed_slices=376571, duration.command.search.index=7569, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55634, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11177932, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:16:25.028, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920900_68931', total_run_time=12.45, event_count=0, result_count=0, available_count=0, scan_count=20571490, drop_count=0, exec_time=1654920949, api_et=1654906500.000000000, api_lt=1654920900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906500.000000000, search_lt=1654920900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2412", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20571490, total_slices=1505387, decompressed_slices=376455, duration.command.search.index=7289, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55798, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176259, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:16:24.686, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654920960_68943', total_run_time=8.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654920970, api_et=1654916760.000000000, api_lt=1654920360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654917360.000000000, search_lt=1654920972.100924000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3182", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7a0381d5562d6348", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1038, eliminated_buckets=356, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=662, invocations.command.search.index.bucketcache.hit=1038, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:15:57.932, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920840_68911', total_run_time=12.27, event_count=0, result_count=0, available_count=0, scan_count=20580265, drop_count=0, exec_time=1654920889, api_et=1654906440.000000000, api_lt=1654920840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906440.000000000, search_lt=1654920840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20580265, total_slices=1503552, decompressed_slices=376498, duration.command.search.index=7225, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55874, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176600, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:15:57.309, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920780_68889', total_run_time=12.18, event_count=0, result_count=0, available_count=0, scan_count=20590353, drop_count=0, exec_time=1654920829, api_et=1654906380.000000000, api_lt=1654920780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906380.000000000, search_lt=1654920780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20590353, total_slices=1501846, decompressed_slices=376591, duration.command.search.index=7286, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56792, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176812, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:15:57.289, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654920840_68899', total_run_time=4.58, event_count=0, result_count=0, available_count=0, scan_count=20966, drop_count=0, exec_time=1654920863, api_et=1654917240.000000000, api_lt=1654920840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654917240.000000000, search_lt=1654920865.366198000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2864", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=289, considered_events=22037, total_slices=529498, decompressed_slices=2617, duration.command.search.index=1126, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5758, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=67, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=199, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 04:13:21.163, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920720_68862', total_run_time=13.81, event_count=0, result_count=0, available_count=0, scan_count=20599650, drop_count=0, exec_time=1654920770, api_et=1654906320.000000000, api_lt=1654920720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906320.000000000, search_lt=1654920720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20599650, total_slices=1500124, decompressed_slices=376667, duration.command.search.index=7767, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51812, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11176473, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:12:21.204, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920660_68843', total_run_time=12.32, event_count=0, result_count=0, available_count=0, scan_count=20605810, drop_count=0, exec_time=1654920708, api_et=1654906260.000000000, api_lt=1654920660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906260.000000000, search_lt=1654920660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2535", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20605810, total_slices=1498404, decompressed_slices=376641, duration.command.search.index=7687, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54213, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11173223, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:11:21.201, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654920660_68827', total_run_time=5.42, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654920665, api_et=1654917060.000000000, api_lt=1654920660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654917060.000000000, search_lt=1654920667.418959000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3245", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4d2e5d6992e99d16", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=60, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:11:21.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920600_68817', total_run_time=15.85, event_count=0, result_count=0, available_count=0, scan_count=20611435, drop_count=0, exec_time=1654920649, api_et=1654906200.000000000, api_lt=1654920600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906200.000000000, search_lt=1654920600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3109", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20611435, total_slices=1496770, decompressed_slices=376739, duration.command.search.index=7987, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58036, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11170383, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:10:10.098, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920540_68798', total_run_time=13.25, event_count=0, result_count=0, available_count=0, scan_count=20619016, drop_count=0, exec_time=1654920590, api_et=1654906140.000000000, api_lt=1654920540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906140.000000000, search_lt=1654920540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20619016, total_slices=1494983, decompressed_slices=376836, duration.command.search.index=7309, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55061, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11168935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:09:54.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654920540_68791', total_run_time=19.18, event_count=0, result_count=0, available_count=0, scan_count=4097587, drop_count=0, exec_time=1654920546, api_et=1654916340.000000000, api_lt=1654919940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654916340.000000000, search_lt=1654919940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3131", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_976b94dc7ee8c5be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=788, eliminated_buckets=363, considered_events=4097587, total_slices=1211424, decompressed_slices=177476, duration.command.search.index=1663, invocations.command.search.index.bucketcache.hit=786, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30070, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=80, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:09:54.613, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920480_68782', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=20628464, drop_count=0, exec_time=1654920529, api_et=1654906080.000000000, api_lt=1654920480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906080.000000000, search_lt=1654920480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20628464, total_slices=1493331, decompressed_slices=376976, duration.command.search.index=7479, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52488, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11166992, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:08:51.215, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654920420_68768', total_run_time=20.81, event_count=1158, result_count=62, available_count=0, scan_count=312762, drop_count=0, exec_time=1654920480, api_et=1654916820.000000000, api_lt=1654920420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654916820.000000000, search_lt=1654920482.384872000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=324779, total_slices=626605, decompressed_slices=87911, duration.command.search.index=3325, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=25135, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=257092, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26451, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 04:08:21.263, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920420_68765', total_run_time=14.11, event_count=0, result_count=0, available_count=0, scan_count=20642305, drop_count=0, exec_time=1654920470, api_et=1654906020.000000000, api_lt=1654920420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906020.000000000, search_lt=1654920420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20642305, total_slices=1491646, decompressed_slices=377220, duration.command.search.index=7606, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54492, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11168743, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:07:51.393, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654920420_68760', total_run_time=4.98, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654920446, api_et=1654916820.000000000, api_lt=1654920420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654916820.000000000, search_lt=1654920448.070148000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8b9bd55d93674370", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=654, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 04:07:21.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920360_68745', total_run_time=14.67, event_count=0, result_count=0, available_count=0, scan_count=20654473, drop_count=0, exec_time=1654920410, api_et=1654905960.000000000, api_lt=1654920360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905960.000000000, search_lt=1654920360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20654473, total_slices=1490071, decompressed_slices=377298, duration.command.search.index=7666, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58075, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11169768, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:06:07.325, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920300_68730', total_run_time=14.15, event_count=0, result_count=0, available_count=0, scan_count=20663271, drop_count=0, exec_time=1654920350, api_et=1654905900.000000000, api_lt=1654920300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905900.000000000, search_lt=1654920300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2567", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20663271, total_slices=1488514, decompressed_slices=377447, duration.command.search.index=8033, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59357, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11170015, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:05:38.732, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920180_68670', total_run_time=20.68, event_count=0, result_count=0, available_count=0, scan_count=20687219, drop_count=0, exec_time=1654920229, api_et=1654905780.000000000, api_lt=1654920180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905780.000000000, search_lt=1654920180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20687219, total_slices=1511302, decompressed_slices=377783, duration.command.search.index=9966, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85321, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11171806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:05:38.714, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920240_68711', total_run_time=16.31, event_count=0, result_count=0, available_count=0, scan_count=20673623, drop_count=0, exec_time=1654920289, api_et=1654905840.000000000, api_lt=1654920240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905840.000000000, search_lt=1654920240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=20673623, total_slices=1486826, decompressed_slices=377603, duration.command.search.index=8837, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65733, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11169954, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:03:24.100, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920120_68623', total_run_time=17.75, event_count=0, result_count=0, available_count=0, scan_count=20699837, drop_count=0, exec_time=1654920169, api_et=1654905720.000000000, api_lt=1654920120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905720.000000000, search_lt=1654920120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=20699837, total_slices=1509578, decompressed_slices=377905, duration.command.search.index=10506, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81377, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11174250, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:02:24.613, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920060_68593', total_run_time=19.82, event_count=0, result_count=0, available_count=0, scan_count=20710455, drop_count=0, exec_time=1654920109, api_et=1654905660.000000000, api_lt=1654920060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905660.000000000, search_lt=1654920060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20710455, total_slices=1508050, decompressed_slices=378051, duration.command.search.index=9849, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82668, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11175886, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 04:01:23.776, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654920000_68561', total_run_time=20.85, event_count=0, result_count=0, available_count=0, scan_count=20694709, drop_count=0, exec_time=1654920050, api_et=1654905600.000000000, api_lt=1654920000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905600.000000000, search_lt=1654920000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=20694709, total_slices=1506379, decompressed_slices=377597, duration.command.search.index=10386, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88933, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11153322, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 03:44:15.533, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654918980_68261', total_run_time=21.59, event_count=0, result_count=0, available_count=0, scan_count=4764, drop_count=0, exec_time=1654919018, api_et=1654915380.000000000, api_lt=1654918980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654915380.000000000, search_lt=1654919020.079275000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2973", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6c35c18aed473108", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=4764, total_slices=1021384, decompressed_slices=1493, duration.command.search.index=1059, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4884, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 03:37:11.679, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654918380_68051', total_run_time=35.39, event_count=0, result_count=0, available_count=0, scan_count=42264154, drop_count=0, exec_time=1654918405, api_et=1654914780.000000000, api_lt=1654918380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654914780.000000000, search_lt=1654918407.170238000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_16d15d4d62f5c500", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1845, eliminated_buckets=135, considered_events=42264154, total_slices=14472741, decompressed_slices=4283977, duration.command.search.index=14543, invocations.command.search.index.bucketcache.hit=1843, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230042, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 03:16:29.500, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654917360_67706', total_run_time=6.95, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654917370, api_et=1654913160.000000000, api_lt=1654916760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654913760.000000000, search_lt=1654917372.402165000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3255", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eac727becd21e260", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1038, eliminated_buckets=356, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1038, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 03:14:29.621, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654917240_67665', total_run_time=4.88, event_count=0, result_count=0, available_count=0, scan_count=12740, drop_count=0, exec_time=1654917263, api_et=1654913640.000000000, api_lt=1654917240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654913640.000000000, search_lt=1654917264.914396000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=281, considered_events=12740, total_slices=475734, decompressed_slices=1707, duration.command.search.index=784, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5347, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=34, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=57, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=173, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=39, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 03:11:29.569, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654917060_67598', total_run_time=4.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654917064, api_et=1654913460.000000000, api_lt=1654917060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654913460.000000000, search_lt=1654917066.074550000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_669f488907e32198", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 03:10:20.982, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654916940_67564', total_run_time=17.29, event_count=0, result_count=0, available_count=0, scan_count=3851202, drop_count=0, exec_time=1654916945, api_et=1654912740.000000000, api_lt=1654916340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654912740.000000000, search_lt=1654916340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5e876385c9d279b3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=775, eliminated_buckets=355, considered_events=3851202, total_slices=1169307, decompressed_slices=172013, duration.command.search.index=1593, invocations.command.search.index.bucketcache.hit=775, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28827, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=99, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 03:08:29.546, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654916820_67545', total_run_time=17.90, event_count=1156, result_count=58, available_count=0, scan_count=309013, drop_count=0, exec_time=1654916880, api_et=1654913220.000000000, api_lt=1654916820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654913220.000000000, search_lt=1654916882.546083000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2882", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=194, considered_events=317333, total_slices=650508, decompressed_slices=84999, duration.command.search.index=3288, invocations.command.search.index.bucketcache.hit=404, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26047, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=251603, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=26416, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 03:07:59.627, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654916820_67540', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654916845, api_et=1654913220.000000000, api_lt=1654916820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654913220.000000000, search_lt=1654916847.736260000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0429c4ef07991949", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=194, considered_events=1, total_slices=12490, decompressed_slices=1, duration.command.search.index=751, invocations.command.search.index.bucketcache.hit=404, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=128, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:44:50.513, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654915380_67051', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=4328, drop_count=0, exec_time=1654915418, api_et=1654911780.000000000, api_lt=1654915380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654911780.000000000, search_lt=1654915420.158540000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_40b8c01f6a44f7b0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=4328, total_slices=1071983, decompressed_slices=1406, duration.command.search.index=1078, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4930, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:37:44.761, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654914780_66841', total_run_time=35.67, event_count=0, result_count=0, available_count=0, scan_count=42226188, drop_count=0, exec_time=1654914805, api_et=1654911180.000000000, api_lt=1654914780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654911180.000000000, search_lt=1654914807.577585000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_461c6f489cbbd2ad", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1847, eliminated_buckets=135, considered_events=42226188, total_slices=14346943, decompressed_slices=4290251, duration.command.search.index=17196, invocations.command.search.index.bucketcache.hit=1847, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230769, invocations.command.search.rawdata.bucketcache.hit=308, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:16:21.287, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654913760_66490', total_run_time=7.41, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654913770, api_et=1654909560.000000000, api_lt=1654913160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654910160.000000000, search_lt=1654913772.831840000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3292", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ac250381ffa6c87e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1037, eliminated_buckets=357, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=728, invocations.command.search.index.bucketcache.hit=1037, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:14:51.336, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654913640_66450', total_run_time=4.52, event_count=0, result_count=0, available_count=0, scan_count=15005, drop_count=0, exec_time=1654913663, api_et=1654910040.000000000, api_lt=1654913640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654910040.000000000, search_lt=1654913665.835504000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3036", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=282, considered_events=15067, total_slices=435729, decompressed_slices=2399, duration.command.search.index=1121, invocations.command.search.index.bucketcache.hit=404, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5710, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=26, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=94, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=401, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=62, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 02:11:17.237, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654913340_66353', total_run_time=19.07, event_count=0, result_count=0, available_count=0, scan_count=3998072, drop_count=0, exec_time=1654913346, api_et=1654909140.000000000, api_lt=1654912740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909140.000000000, search_lt=1654912740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3348", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e90e2b97a77949e7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=785, eliminated_buckets=363, considered_events=3998072, total_slices=1120542, decompressed_slices=180406, duration.command.search.index=1779, invocations.command.search.index.bucketcache.hit=783, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30982, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=88, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:11:17.118, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654913460_66383', total_run_time=5.54, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654913464, api_et=1654909860.000000000, api_lt=1654913460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909860.000000000, search_lt=1654913466.364626000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2287", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_935b740d937db907", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=52, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=47, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 02:08:28.880, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654913220_66338', total_run_time=16.53, event_count=2000, result_count=109, available_count=0, scan_count=351440, drop_count=0, exec_time=1654913284, api_et=1654909620.000000000, api_lt=1654913220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909620.000000000, search_lt=1654913286.582788000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=195, considered_events=359554, total_slices=622964, decompressed_slices=82677, duration.command.search.index=2691, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=24974, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=288161, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33045, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 02:07:58.937, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654913220_66327', total_run_time=6.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654913247, api_et=1654909620.000000000, api_lt=1654913220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654909620.000000000, search_lt=1654913248.877284000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_444e6d3046ac3c8b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=195, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=663, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:44:37.887, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654911780_65857', total_run_time=43.30, event_count=0, result_count=0, available_count=0, scan_count=3976, drop_count=0, exec_time=1654911818, api_et=1654908180.000000000, api_lt=1654911780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654908180.000000000, search_lt=1654911820.371770000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2897", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0cd2d12bd25eca3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=3976, total_slices=995332, decompressed_slices=1303, duration.command.search.index=1235, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5038, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:37:31.647, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654911180_65650', total_run_time=36.78, event_count=0, result_count=0, available_count=0, scan_count=42281133, drop_count=0, exec_time=1654911205, api_et=1654907580.000000000, api_lt=1654911180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654907580.000000000, search_lt=1654911207.707416000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7786efadd3e4bae4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1841, eliminated_buckets=135, considered_events=42281133, total_slices=14137451, decompressed_slices=4315236, duration.command.search.index=17441, invocations.command.search.index.bucketcache.hit=1838, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232432, invocations.command.search.rawdata.bucketcache.hit=294, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:16:37.474, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654910160_65308', total_run_time=7.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654910171, api_et=1654905960.000000000, api_lt=1654909560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906560.000000000, search_lt=1654910173.158719000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3414", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0a09c4b2384cde06", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1041, eliminated_buckets=358, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=641, invocations.command.search.index.bucketcache.hit=1041, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:14:37.524, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654910040_65268', total_run_time=6.31, event_count=0, result_count=0, available_count=0, scan_count=12383, drop_count=0, exec_time=1654910063, api_et=1654906440.000000000, api_lt=1654910040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906440.000000000, search_lt=1654910065.041529000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=280, considered_events=12411, total_slices=430095, decompressed_slices=2530, duration.command.search.index=1191, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6422, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=109, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=573, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=71, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=248, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=154, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 01:11:25.885, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654909860_65201', total_run_time=5.88, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654909864, api_et=1654906260.000000000, api_lt=1654909860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906260.000000000, search_lt=1654909866.349474000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3024", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7df203726a24ccea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:11:01.908, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654909740_65169', total_run_time=23.68, event_count=0, result_count=0, available_count=0, scan_count=3984391, drop_count=0, exec_time=1654909745, api_et=1654905540.000000000, api_lt=1654909140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654905540.000000000, search_lt=1654909140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3003", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b35db0f504f9eae8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=787, eliminated_buckets=362, considered_events=3984391, total_slices=1076555, decompressed_slices=188466, duration.command.search.index=1691, invocations.command.search.index.bucketcache.hit=786, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31036, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:08:42.137, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654909620_65150', total_run_time=17.21, event_count=1861, result_count=110, available_count=0, scan_count=413306, drop_count=0, exec_time=1654909680, api_et=1654906020.000000000, api_lt=1654909620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906020.000000000, search_lt=1654909682.493242000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3228", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=196, considered_events=418398, total_slices=572069, decompressed_slices=98068, duration.command.search.index=2992, invocations.command.search.index.bucketcache.hit=404, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28367, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=340309, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33928, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 01:07:42.223, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654909620_65145', total_run_time=6.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654909646, api_et=1654906020.000000000, api_lt=1654909620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654906020.000000000, search_lt=1654909648.320428000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_94a40b9d6f1eae81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=196, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=840, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 01:00:53.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654909140_64953', total_run_time=50.22, event_count=0, result_count=0, available_count=0, scan_count=24295577, drop_count=0, exec_time=1654909191, api_et=1654894740.000000000, api_lt=1654909140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894740.000000000, search_lt=1654909140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=24295577, total_slices=1541716, decompressed_slices=413662, duration.command.search.index=9017, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77101, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12019501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:59:21.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654909080_64940', total_run_time=16.42, event_count=0, result_count=0, available_count=0, scan_count=24316289, drop_count=0, exec_time=1654909129, api_et=1654894680.000000000, api_lt=1654909080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894680.000000000, search_lt=1654909080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3212", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24316289, total_slices=1539711, decompressed_slices=413881, duration.command.search.index=8892, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67094, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12024830, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:58:23.158, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654909020_64923', total_run_time=23.44, event_count=0, result_count=0, available_count=0, scan_count=24333289, drop_count=0, exec_time=1654909070, api_et=1654894620.000000000, api_lt=1654909020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894620.000000000, search_lt=1654909020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24333289, total_slices=1538116, decompressed_slices=414051, duration.command.search.index=9674, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69735, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12028613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:57:23.815, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908960_64904', total_run_time=20.57, event_count=0, result_count=0, available_count=0, scan_count=24349422, drop_count=0, exec_time=1654909009, api_et=1654894560.000000000, api_lt=1654908960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894560.000000000, search_lt=1654908960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24349422, total_slices=1536369, decompressed_slices=414441, duration.command.search.index=8767, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71410, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12032791, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:56:21.544, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908900_64893', total_run_time=26.63, event_count=0, result_count=0, available_count=0, scan_count=24367233, drop_count=0, exec_time=1654908949, api_et=1654894500.000000000, api_lt=1654908900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894500.000000000, search_lt=1654908900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24367233, total_slices=1534709, decompressed_slices=414565, duration.command.search.index=9073, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71727, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12038001, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:55:26.285, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908840_64874', total_run_time=21.11, event_count=0, result_count=0, available_count=0, scan_count=24386650, drop_count=0, exec_time=1654908889, api_et=1654894440.000000000, api_lt=1654908840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894440.000000000, search_lt=1654908840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24386650, total_slices=1532907, decompressed_slices=414732, duration.command.search.index=9224, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66669, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12044051, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:55:10.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908780_64858', total_run_time=35.06, event_count=0, result_count=0, available_count=0, scan_count=24402954, drop_count=0, exec_time=1654908830, api_et=1654894380.000000000, api_lt=1654908780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894380.000000000, search_lt=1654908780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3378", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24402954, total_slices=1531277, decompressed_slices=414898, duration.command.search.index=9380, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70766, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12047822, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:53:24.072, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908720_64832', total_run_time=31.08, event_count=0, result_count=0, available_count=0, scan_count=24421032, drop_count=0, exec_time=1654908769, api_et=1654894320.000000000, api_lt=1654908720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894320.000000000, search_lt=1654908720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24421032, total_slices=1529489, decompressed_slices=415105, duration.command.search.index=10354, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80440, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12052994, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:52:51.568, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908660_64815', total_run_time=47.26, event_count=0, result_count=0, available_count=0, scan_count=24438697, drop_count=0, exec_time=1654908709, api_et=1654894260.000000000, api_lt=1654908660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894260.000000000, search_lt=1654908660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24438697, total_slices=1527627, decompressed_slices=415313, duration.command.search.index=11134, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89941, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12057702, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:51:20.866, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908480_64745', total_run_time=38.54, event_count=0, result_count=0, available_count=0, scan_count=24493791, drop_count=0, exec_time=1654908529, api_et=1654894080.000000000, api_lt=1654908480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894080.000000000, search_lt=1654908480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24493791, total_slices=1522614, decompressed_slices=416041, duration.command.search.index=10580, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86619, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12073143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:51:20.269, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908540_64769', total_run_time=62.95, event_count=0, result_count=0, available_count=0, scan_count=24476106, drop_count=0, exec_time=1654908589, api_et=1654894140.000000000, api_lt=1654908540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894140.000000000, search_lt=1654908540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24476106, total_slices=1524360, decompressed_slices=415806, duration.command.search.index=9472, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88590, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12069704, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:48:28.418, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908420_64728', total_run_time=33.14, event_count=0, result_count=0, available_count=0, scan_count=24512272, drop_count=0, exec_time=1654908469, api_et=1654894020.000000000, api_lt=1654908420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894020.000000000, search_lt=1654908420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24512272, total_slices=1520841, decompressed_slices=416239, duration.command.search.index=9541, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79674, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12076071, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:47:27.680, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908360_64705', total_run_time=30.27, event_count=0, result_count=0, available_count=0, scan_count=24533114, drop_count=0, exec_time=1654908409, api_et=1654893960.000000000, api_lt=1654908360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893960.000000000, search_lt=1654908360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2568", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24533114, total_slices=1519138, decompressed_slices=416529, duration.command.search.index=9963, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76277, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12080669, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:46:28.433, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908300_64686', total_run_time=27.88, event_count=0, result_count=0, available_count=0, scan_count=24553085, drop_count=0, exec_time=1654908349, api_et=1654893900.000000000, api_lt=1654908300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893900.000000000, search_lt=1654908300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2666", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24553085, total_slices=1517433, decompressed_slices=416721, duration.command.search.index=9908, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79790, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12085862, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:45:57.426, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908240_64663', total_run_time=45.31, event_count=0, result_count=0, available_count=0, scan_count=24575776, drop_count=0, exec_time=1654908290, api_et=1654893840.000000000, api_lt=1654908240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893840.000000000, search_lt=1654908240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3209", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24575776, total_slices=1515808, decompressed_slices=416980, duration.command.search.index=11508, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85551, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12093445, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:44:57.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908180_64642', total_run_time=44.71, event_count=0, result_count=0, available_count=0, scan_count=24596438, drop_count=0, exec_time=1654908229, api_et=1654893780.000000000, api_lt=1654908180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893780.000000000, search_lt=1654908180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3220", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24596438, total_slices=1514098, decompressed_slices=417220, duration.command.search.index=11802, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92280, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12100748, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:44:57.404, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654908180_64639', total_run_time=51.03, event_count=0, result_count=0, available_count=0, scan_count=3633, drop_count=0, exec_time=1654908218, api_et=1654904580.000000000, api_lt=1654908180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654904580.000000000, search_lt=1654908220.283378000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2440", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5bd8a0d4806f2eed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=3633, total_slices=1016091, decompressed_slices=1217, duration.command.search.index=1649, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6605, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:43:57.771, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908120_64614', total_run_time=46.61, event_count=0, result_count=0, available_count=0, scan_count=24617057, drop_count=0, exec_time=1654908169, api_et=1654893720.000000000, api_lt=1654908120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893720.000000000, search_lt=1654908120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24617057, total_slices=1512327, decompressed_slices=417475, duration.command.search.index=11311, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97505, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12108519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:42:58.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654908060_64591', total_run_time=45.41, event_count=0, result_count=0, available_count=0, scan_count=24635331, drop_count=0, exec_time=1654908109, api_et=1654893660.000000000, api_lt=1654908060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893660.000000000, search_lt=1654908060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24635331, total_slices=1510620, decompressed_slices=417645, duration.command.search.index=10511, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101840, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12114849, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:41:28.397, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907940_64546', total_run_time=67.60, event_count=0, result_count=0, available_count=0, scan_count=24680115, drop_count=0, exec_time=1654907990, api_et=1654893540.000000000, api_lt=1654907940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893540.000000000, search_lt=1654907940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24680115, total_slices=1507228, decompressed_slices=418000, duration.command.search.index=10994, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109439, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12131342, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:40:22.176, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907880_64529', total_run_time=51.72, event_count=0, result_count=0, available_count=0, scan_count=24697196, drop_count=0, exec_time=1654907930, api_et=1654893480.000000000, api_lt=1654907880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893480.000000000, search_lt=1654907880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24697196, total_slices=1505520, decompressed_slices=418134, duration.command.search.index=10788, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93801, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12138551, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:38:28.290, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907760_64499', total_run_time=67.38, event_count=0, result_count=0, available_count=0, scan_count=24735667, drop_count=0, exec_time=1654907810, api_et=1654893360.000000000, api_lt=1654907760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893360.000000000, search_lt=1654907760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24735667, total_slices=1502117, decompressed_slices=418655, duration.command.search.index=10981, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93718, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12151471, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:36:57.923, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907640_64469', total_run_time=109.09, event_count=0, result_count=0, available_count=0, scan_count=24777597, drop_count=0, exec_time=1654907690, api_et=1654893240.000000000, api_lt=1654907640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893240.000000000, search_lt=1654907640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24777597, total_slices=1498651, decompressed_slices=418954, duration.command.search.index=14783, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109804, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12166094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:34:46.263, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654907580_64420', total_run_time=46.48, event_count=0, result_count=0, available_count=0, scan_count=42189760, drop_count=0, exec_time=1654907606, api_et=1654903980.000000000, api_lt=1654907580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654903980.000000000, search_lt=1654907607.935393000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4122", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_562adb8ec7d093a3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1882, eliminated_buckets=135, considered_events=42189760, total_slices=14386081, decompressed_slices=4302580, duration.command.search.index=20357, invocations.command.search.index.bucketcache.hit=1882, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=247947, invocations.command.search.rawdata.bucketcache.hit=336, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:33:58.600, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907460_64369', total_run_time=123.29, event_count=0, result_count=0, available_count=0, scan_count=24861707, drop_count=0, exec_time=1654907509, api_et=1654893060.000000000, api_lt=1654907460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893060.000000000, search_lt=1654907460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3330", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=24861707, total_slices=1493358, decompressed_slices=419748, duration.command.search.index=18330, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=176424, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12184340, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:31:27.574, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907340_64313', total_run_time=74.06, event_count=0, result_count=0, available_count=0, scan_count=24953526, drop_count=0, exec_time=1654907389, api_et=1654892940.000000000, api_lt=1654907340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892940.000000000, search_lt=1654907340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=24953526, total_slices=1489768, decompressed_slices=420567, duration.command.search.index=12326, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108303, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12198468, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:28:57.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907220_64286', total_run_time=62.55, event_count=0, result_count=0, available_count=0, scan_count=25039170, drop_count=0, exec_time=1654907269, api_et=1654892820.000000000, api_lt=1654907220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892820.000000000, search_lt=1654907220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=25039170, total_slices=1485820, decompressed_slices=421136, duration.command.search.index=19163, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=147560, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12203721, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:27:27.645, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907160_64267', total_run_time=26.02, event_count=0, result_count=0, available_count=0, scan_count=25087528, drop_count=0, exec_time=1654907209, api_et=1654892760.000000000, api_lt=1654907160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892760.000000000, search_lt=1654907160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=25087528, total_slices=1484483, decompressed_slices=421615, duration.command.search.index=9837, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81814, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12214558, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:26:27.537, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907100_64251', total_run_time=29.60, event_count=0, result_count=0, available_count=0, scan_count=25126390, drop_count=0, exec_time=1654907149, api_et=1654892700.000000000, api_lt=1654907100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892700.000000000, search_lt=1654907100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2990", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=25126390, total_slices=1482797, decompressed_slices=422045, duration.command.search.index=9774, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84551, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12217789, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:25:57.546, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654907040_64237', total_run_time=47.82, event_count=0, result_count=0, available_count=0, scan_count=25167847, drop_count=0, exec_time=1654907089, api_et=1654892640.000000000, api_lt=1654907040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892640.000000000, search_lt=1654907040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=25167847, total_slices=1481127, decompressed_slices=422307, duration.command.search.index=10780, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89548, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223066, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:24:55.885, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906980_64218', total_run_time=38.42, event_count=0, result_count=0, available_count=0, scan_count=25207901, drop_count=0, exec_time=1654907029, api_et=1654892580.000000000, api_lt=1654906980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892580.000000000, search_lt=1654906980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25207901, total_slices=1479295, decompressed_slices=422553, duration.command.search.index=10793, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88842, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12228011, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:22:57.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906860_64171', total_run_time=66.71, event_count=0, result_count=0, available_count=0, scan_count=25286745, drop_count=0, exec_time=1654906909, api_et=1654892460.000000000, api_lt=1654906860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892460.000000000, search_lt=1654906860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25286745, total_slices=1475907, decompressed_slices=423311, duration.command.search.index=14814, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=124701, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12234267, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:22:27.533, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654906800_64144', total_run_time=80.96, event_count=12239623, result_count=15, available_count=0, scan_count=25331222, drop_count=0, exec_time=1654906857, api_et=1654892400.000000000, api_lt=1654906800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892400.000000000, search_lt=1654906800.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25331222, total_slices=1474271, decompressed_slices=423668, duration.command.search.index=16011, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=135093, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12239623, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:21:26.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906740_64118', total_run_time=78.81, event_count=0, result_count=0, available_count=0, scan_count=25375059, drop_count=0, exec_time=1654906790, api_et=1654892340.000000000, api_lt=1654906740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892340.000000000, search_lt=1654906740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25375059, total_slices=1472253, decompressed_slices=423976, duration.command.search.index=13954, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=132859, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12245216, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:20:55.950, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906620_64071', total_run_time=61.84, event_count=0, result_count=0, available_count=0, scan_count=25456308, drop_count=0, exec_time=1654906669, api_et=1654892220.000000000, api_lt=1654906620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892220.000000000, search_lt=1654906620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25456308, total_slices=1468684, decompressed_slices=424742, duration.command.search.index=12623, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110632, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12254650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:17:12.262, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654905600_63815', total_run_time=717.47, event_count=2696, result_count=2695, available_count=0, scan_count=1757290, drop_count=0, exec_time=1654905889, api_et=1654819200.000000000, api_lt=1654905600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654905600.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="65158", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_a9c39647ee820b2d", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4804, considered_events=1757290, total_slices=14055455, decompressed_slices=1089811, duration.command.search.index=3285482, invocations.command.search.index.bucketcache.hit=25426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=5023, duration.command.search.index.bucketcache.miss=2472838, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=329725, invocations.command.search.rawdata.bucketcache.hit=18802, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=2868, duration.command.search.rawdata.bucketcache.miss=2050410, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-11-2022 00:17:12.195, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906500_64031', total_run_time=62.54, event_count=0, result_count=0, available_count=0, scan_count=25537312, drop_count=0, exec_time=1654906549, api_et=1654892100.000000000, api_lt=1654906500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892100.000000000, search_lt=1654906500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25537312, total_slices=1465489, decompressed_slices=425610, duration.command.search.index=12451, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102379, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12264840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:16:42.196, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654906560_64042', total_run_time=8.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654906571, api_et=1654902360.000000000, api_lt=1654905960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654902960.000000000, search_lt=1654906573.494380000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_813f815acb9d652e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1041, eliminated_buckets=359, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=655, invocations.command.search.index.bucketcache.hit=1041, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:15:39.344, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906440_64012', total_run_time=43.67, event_count=0, result_count=0, available_count=0, scan_count=25578334, drop_count=0, exec_time=1654906489, api_et=1654892040.000000000, api_lt=1654906440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892040.000000000, search_lt=1654906440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25578334, total_slices=1463537, decompressed_slices=425890, duration.command.search.index=11348, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109181, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12271088, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:15:08.233, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654906440_63999', total_run_time=10.39, event_count=0, result_count=0, available_count=0, scan_count=11092, drop_count=0, exec_time=1654906463, api_et=1654902840.000000000, api_lt=1654906440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654902840.000000000, search_lt=1654906465.348611000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=282, considered_events=11147, total_slices=399142, decompressed_slices=2902, duration.command.search.index=1145, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6561, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=247, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=650, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=151, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=192, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-11-2022 00:15:07.733, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906380_63989', total_run_time=49.05, event_count=0, result_count=0, available_count=0, scan_count=25617583, drop_count=0, exec_time=1654906429, api_et=1654891980.000000000, api_lt=1654906380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891980.000000000, search_lt=1654906380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2717", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25617583, total_slices=1461776, decompressed_slices=426126, duration.command.search.index=12691, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93951, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12276756, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:13:12.107, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906260_63943', total_run_time=81.39, event_count=0, result_count=0, available_count=0, scan_count=25703174, drop_count=0, exec_time=1654906309, api_et=1654891860.000000000, api_lt=1654906260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891860.000000000, search_lt=1654906260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3362", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25703174, total_slices=1458401, decompressed_slices=426741, duration.command.search.index=13983, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=120427, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12288806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:11:13.023, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654906260_63925', total_run_time=5.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654906264, api_et=1654902660.000000000, api_lt=1654906260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654902660.000000000, search_lt=1654906266.586490000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2912", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_10e0c0c806131098", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=40, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:11:12.240, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906140_63897', total_run_time=63.36, event_count=0, result_count=0, available_count=0, scan_count=25788924, drop_count=0, exec_time=1654906189, api_et=1654891740.000000000, api_lt=1654906140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891740.000000000, search_lt=1654906140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25788924, total_slices=1454951, decompressed_slices=427333, duration.command.search.index=12988, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=123814, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12300501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:10:12.323, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906080_63880', total_run_time=57.48, event_count=0, result_count=0, available_count=0, scan_count=25828352, drop_count=0, exec_time=1654906129, api_et=1654891680.000000000, api_lt=1654906080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891680.000000000, search_lt=1654906080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=25828352, total_slices=1453012, decompressed_slices=427627, duration.command.search.index=11997, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116929, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12305049, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:09:42.376, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654906140_63888', total_run_time=23.55, event_count=1, result_count=1, available_count=0, scan_count=3764856, drop_count=0, exec_time=1654906146, api_et=1654901940.000000000, api_lt=1654905540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654901940.000000000, search_lt=1654905540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2985", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4673caac4fc8fc7f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=784, eliminated_buckets=362, considered_events=3764856, total_slices=1043659, decompressed_slices=176336, duration.command.search.index=2046, invocations.command.search.index.bucketcache.hit=784, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33925, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=150, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:09:12.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654906020_63865', total_run_time=55.21, event_count=0, result_count=0, available_count=0, scan_count=25869468, drop_count=0, exec_time=1654906070, api_et=1654891620.000000000, api_lt=1654906020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891620.000000000, search_lt=1654906020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=25869468, total_slices=1451339, decompressed_slices=427895, duration.command.search.index=15097, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=122740, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12309754, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:08:42.130, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654906020_63868', total_run_time=32.36, event_count=1154, result_count=59, available_count=0, scan_count=381624, drop_count=0, exec_time=1654906080, api_et=1654902420.000000000, api_lt=1654906020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654902420.000000000, search_lt=1654906082.616930000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2978", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=196, considered_events=388665, total_slices=598445, decompressed_slices=109443, duration.command.search.index=5468, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47763, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=312262, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30343, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-11-2022 00:07:42.980, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654906020_63860', total_run_time=14.07, event_count=0, result_count=0, available_count=0, scan_count=8, drop_count=0, exec_time=1654906046, api_et=1654902420.000000000, api_lt=1654906020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654902420.000000000, search_lt=1654906048.170592000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2923", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_94875ec5ea006a3c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=196, considered_events=8, total_slices=45863, decompressed_slices=8, duration.command.search.index=1223, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=1531, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-11-2022 00:07:12.516, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654905840_63813', total_run_time=124.36, event_count=0, result_count=0, available_count=0, scan_count=26000450, drop_count=0, exec_time=1654905889, api_et=1654891440.000000000, api_lt=1654905840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891440.000000000, search_lt=1654905840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=26000450, total_slices=1446333, decompressed_slices=429103, duration.command.search.index=25950, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=197917, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12332076, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:05:12.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654905720_63720', total_run_time=116.76, event_count=0, result_count=0, available_count=0, scan_count=26083644, drop_count=0, exec_time=1654905769, api_et=1654891320.000000000, api_lt=1654905720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891320.000000000, search_lt=1654905720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=26083644, total_slices=1442842, decompressed_slices=429953, duration.command.search.index=24618, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228531, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12343146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:02:42.336, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654905600_63653', total_run_time=100.27, event_count=0, result_count=0, available_count=0, scan_count=26198002, drop_count=0, exec_time=1654905649, api_et=1654891200.000000000, api_lt=1654905600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891200.000000000, search_lt=1654905600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=26198002, total_slices=1439773, decompressed_slices=431298, duration.command.search.index=30220, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238646, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12380888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-11-2022 00:01:43.351, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654905600_63649', total_run_time=62.77, event_count=0, result_count=102, available_count=0, scan_count=0, drop_count=0, exec_time=1654905632, api_et=1654903800.000000000, api_lt=1654905600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654903800.000000000, search_lt=1654905600.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63509", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-10-2022 23:44:00.250, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654904580_63360', total_run_time=21.57, event_count=0, result_count=0, available_count=0, scan_count=3994, drop_count=0, exec_time=1654904618, api_et=1654900980.000000000, api_lt=1654904580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654900980.000000000, search_lt=1654904620.199892000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2846", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_de3264eac52f92ed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=3994, total_slices=1109914, decompressed_slices=1386, duration.command.search.index=1052, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5006, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 23:39:14.507, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654903980_63152', total_run_time=41.86, event_count=0, result_count=0, available_count=0, scan_count=42085004, drop_count=0, exec_time=1654904005, api_et=1654900380.000000000, api_lt=1654903980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654900380.000000000, search_lt=1654904007.271671000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_12eca39214b49cea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1882, eliminated_buckets=135, considered_events=42085004, total_slices=14592206, decompressed_slices=4285574, duration.command.search.index=18024, invocations.command.search.index.bucketcache.hit=1882, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=237204, invocations.command.search.rawdata.bucketcache.hit=333, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 23:16:52.918, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654902960_62811', total_run_time=12.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654902970, api_et=1654898760.000000000, api_lt=1654902360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654899360.000000000, search_lt=1654902972.865772000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3513", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_193769614aedd149", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1050, eliminated_buckets=363, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=679, invocations.command.search.index.bucketcache.hit=1050, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 23:14:52.927, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654902840_62770', total_run_time=5.38, event_count=0, result_count=0, available_count=0, scan_count=14525, drop_count=0, exec_time=1654902863, api_et=1654899240.000000000, api_lt=1654902840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654899240.000000000, search_lt=1654902865.533079000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2951", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=281, considered_events=14549, total_slices=499452, decompressed_slices=3326, duration.command.search.index=1149, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5761, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=261, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=681, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=156, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=12, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=152, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=16, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 23:11:23.176, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654902660_62705', total_run_time=4.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654902665, api_et=1654899060.000000000, api_lt=1654902660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654899060.000000000, search_lt=1654902667.323936000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e925bf38855d5f0e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=34, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 23:09:53.242, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654902540_62673', total_run_time=23.37, event_count=0, result_count=0, available_count=0, scan_count=3800280, drop_count=0, exec_time=1654902545, api_et=1654898340.000000000, api_lt=1654901940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654898340.000000000, search_lt=1654901940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3132", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1108a1b2f1b7e993", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=819, eliminated_buckets=398, considered_events=3800280, total_slices=1042197, decompressed_slices=178086, duration.command.search.index=1691, invocations.command.search.index.bucketcache.hit=819, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30736, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 23:08:53.114, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654902420_62660', total_run_time=18.64, event_count=1173, result_count=60, available_count=0, scan_count=418658, drop_count=0, exec_time=1654902484, api_et=1654898820.000000000, api_lt=1654902420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654898820.000000000, search_lt=1654902486.451991000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=200, considered_events=425615, total_slices=503269, decompressed_slices=113527, duration.command.search.index=3383, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33143, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=338992, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31663, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 23:07:52.926, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654902420_62649', total_run_time=6.53, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654902446, api_et=1654898820.000000000, api_lt=1654902420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654898820.000000000, search_lt=1654902447.980962000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7cbd547a53c1c2d6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=200, considered_events=2, total_slices=16753, decompressed_slices=2, duration.command.search.index=1003, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=407, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:45:41.457, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654900980_62182', total_run_time=22.94, event_count=0, result_count=0, available_count=0, scan_count=4686, drop_count=0, exec_time=1654901019, api_et=1654897380.000000000, api_lt=1654900980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654897380.000000000, search_lt=1654901020.916650000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2947", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9995479774033f64", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=4686, total_slices=1107609, decompressed_slices=1612, duration.command.search.index=1120, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5200, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:34:26.892, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654900380_61972', total_run_time=42.31, event_count=0, result_count=0, available_count=0, scan_count=41945390, drop_count=0, exec_time=1654900405, api_et=1654896780.000000000, api_lt=1654900380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654896780.000000000, search_lt=1654900407.430616000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_64a95bea2cd129d5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1852, eliminated_buckets=135, considered_events=41945390, total_slices=14216463, decompressed_slices=4285027, duration.command.search.index=15068, invocations.command.search.index.bucketcache.hit=1851, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=235133, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:16:49.858, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654899360_61618', total_run_time=8.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654899371, api_et=1654895160.000000000, api_lt=1654898760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654895760.000000000, search_lt=1654899373.340440000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3518", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_060c83cb79528157", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1053, eliminated_buckets=367, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1060, invocations.command.search.index.bucketcache.hit=1053, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:14:50.052, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654899240_61578', total_run_time=5.57, event_count=0, result_count=0, available_count=0, scan_count=15997, drop_count=0, exec_time=1654899263, api_et=1654895640.000000000, api_lt=1654899240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654895640.000000000, search_lt=1654899265.616480000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=282, considered_events=16121, total_slices=607931, decompressed_slices=4255, duration.command.search.index=1153, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6042, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=385, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1015, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=238, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=13, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=303, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=13, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 22:11:19.877, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654899060_61511', total_run_time=5.20, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654899064, api_et=1654895460.000000000, api_lt=1654899060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654895460.000000000, search_lt=1654899066.913402000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3234", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e7050f44180375f8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=41, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:10:48.619, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654898940_61479', total_run_time=16.04, event_count=0, result_count=0, available_count=0, scan_count=3824736, drop_count=0, exec_time=1654898945, api_et=1654894740.000000000, api_lt=1654898340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654894740.000000000, search_lt=1654898340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3090", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_900d4eaf4716c79d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=372, considered_events=3824736, total_slices=1119237, decompressed_slices=181764, duration.command.search.index=1693, invocations.command.search.index.bucketcache.hit=800, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30235, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 22:08:37.124, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654898820_61459', total_run_time=22.95, event_count=1203, result_count=67, available_count=0, scan_count=470630, drop_count=0, exec_time=1654898880, api_et=1654895220.000000000, api_lt=1654898820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654895220.000000000, search_lt=1654898882.334628000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2813", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=203, considered_events=477586, total_slices=494785, decompressed_slices=115322, duration.command.search.index=3703, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33535, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=379439, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 22:07:37.098, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654898820_61454', total_run_time=4.89, event_count=0, result_count=0, available_count=0, scan_count=6, drop_count=0, exec_time=1654898846, api_et=1654895220.000000000, api_lt=1654898820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654895220.000000000, search_lt=1654898848.556840000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2ba984636118da6b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=203, considered_events=6, total_slices=39521, decompressed_slices=6, duration.command.search.index=812, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=839, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:44:28.913, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654897380_60988', total_run_time=20.80, event_count=0, result_count=0, available_count=0, scan_count=3391, drop_count=0, exec_time=1654897418, api_et=1654893780.000000000, api_lt=1654897380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893780.000000000, search_lt=1654897420.186905000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2339", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0764c24492f7ddff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=3391, total_slices=1086557, decompressed_slices=1233, duration.command.search.index=1072, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4907, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:35:48.931, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654896780_60783', total_run_time=36.36, event_count=0, result_count=0, available_count=0, scan_count=42219838, drop_count=0, exec_time=1654896805, api_et=1654893180.000000000, api_lt=1654896780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654893180.000000000, search_lt=1654896807.486802000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3581", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_785028d48cc52e63", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1883, eliminated_buckets=135, considered_events=42219838, total_slices=14493813, decompressed_slices=4351911, duration.command.search.index=15105, invocations.command.search.index.bucketcache.hit=1882, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=234347, invocations.command.search.rawdata.bucketcache.hit=336, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:16:20.668, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654895760_60444', total_run_time=9.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654895770, api_et=1654891560.000000000, api_lt=1654895160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892160.000000000, search_lt=1654895772.262789000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3266", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_44e0d620e9577b72", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1054, eliminated_buckets=369, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=726, invocations.command.search.index.bucketcache.hit=1054, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:15:40.786, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654895640_60404', total_run_time=5.18, event_count=0, result_count=0, available_count=0, scan_count=13442, drop_count=0, exec_time=1654895663, api_et=1654892040.000000000, api_lt=1654895640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654892040.000000000, search_lt=1654895665.474897000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2925", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=285, considered_events=13456, total_slices=668319, decompressed_slices=3477, duration.command.search.index=1196, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5877, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=58, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=378, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1036, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=239, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=23, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=226, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 21:11:39.371, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654895460_60337', total_run_time=5.66, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654895464, api_et=1654891860.000000000, api_lt=1654895460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891860.000000000, search_lt=1654895466.551953000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3134", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ed649c7caaf0fc4d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=46, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:10:04.046, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654895340_60303', total_run_time=25.46, event_count=0, result_count=0, available_count=0, scan_count=3751006, drop_count=0, exec_time=1654895345, api_et=1654891140.000000000, api_lt=1654894740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891140.000000000, search_lt=1654894740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3092", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_55fca4ea25a45e02", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=829, eliminated_buckets=399, considered_events=3751006, total_slices=1164538, decompressed_slices=180653, duration.command.search.index=1644, invocations.command.search.index.bucketcache.hit=824, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29412, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=118, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:08:39.355, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654895220_60285', total_run_time=17.03, event_count=1278, result_count=61, available_count=0, scan_count=529206, drop_count=0, exec_time=1654895280, api_et=1654891620.000000000, api_lt=1654895220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891620.000000000, search_lt=1654895282.141687000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=203, considered_events=536991, total_slices=588745, decompressed_slices=128526, duration.command.search.index=4237, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38278, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=430316, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=37331, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 21:07:39.367, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654895220_60280', total_run_time=6.35, event_count=0, result_count=0, available_count=0, scan_count=4, drop_count=0, exec_time=1654895246, api_et=1654891620.000000000, api_lt=1654895220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654891620.000000000, search_lt=1654895248.371975000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c2e6d01912648423", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=203, considered_events=4, total_slices=39936, decompressed_slices=4, duration.command.search.index=931, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=604, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 21:00:53.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894740_60089', total_run_time=40.56, event_count=0, result_count=0, available_count=0, scan_count=31480120, drop_count=0, exec_time=1654894790, api_et=1654880340.000000000, api_lt=1654894740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880340.000000000, search_lt=1654894740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31480120, total_slices=1176345, decompressed_slices=477060, duration.command.search.index=11319, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92572, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13149167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:59:23.225, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894680_60076', total_run_time=24.87, event_count=0, result_count=0, available_count=0, scan_count=31490919, drop_count=0, exec_time=1654894729, api_et=1654880280.000000000, api_lt=1654894680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880280.000000000, search_lt=1654894680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31490919, total_slices=1174239, decompressed_slices=477159, duration.command.search.index=11393, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77860, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13153040, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:58:23.361, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894620_60061', total_run_time=23.79, event_count=0, result_count=0, available_count=0, scan_count=31497918, drop_count=0, exec_time=1654894669, api_et=1654880220.000000000, api_lt=1654894620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880220.000000000, search_lt=1654894620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31497918, total_slices=1172314, decompressed_slices=477170, duration.command.search.index=11535, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79238, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13156988, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:57:23.249, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894560_60044', total_run_time=28.50, event_count=0, result_count=0, available_count=0, scan_count=31505339, drop_count=0, exec_time=1654894609, api_et=1654880160.000000000, api_lt=1654894560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880160.000000000, search_lt=1654894560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2563", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31505339, total_slices=1170373, decompressed_slices=477173, duration.command.search.index=11445, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78896, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13161649, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:56:23.327, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894500_60033', total_run_time=25.19, event_count=0, result_count=0, available_count=0, scan_count=31515007, drop_count=0, exec_time=1654894549, api_et=1654880100.000000000, api_lt=1654894500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880100.000000000, search_lt=1654894500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2622", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31515007, total_slices=1168511, decompressed_slices=477275, duration.command.search.index=11774, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78772, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13166594, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:55:23.665, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894440_60018', total_run_time=19.81, event_count=0, result_count=0, available_count=0, scan_count=31525165, drop_count=0, exec_time=1654894490, api_et=1654880040.000000000, api_lt=1654894440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880040.000000000, search_lt=1654894440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2972", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31525165, total_slices=1166527, decompressed_slices=477328, duration.command.search.index=12332, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74183, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13170619, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:55:08.333, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894380_60001', total_run_time=31.82, event_count=0, result_count=0, available_count=0, scan_count=31536879, drop_count=0, exec_time=1654894429, api_et=1654879980.000000000, api_lt=1654894380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879980.000000000, search_lt=1654894380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3189", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31536879, total_slices=1164500, decompressed_slices=477504, duration.command.search.index=12084, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77333, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13176172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:53:23.176, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894320_59977', total_run_time=29.31, event_count=0, result_count=0, available_count=0, scan_count=31545885, drop_count=0, exec_time=1654894370, api_et=1654879920.000000000, api_lt=1654894320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879920.000000000, search_lt=1654894320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=31545885, total_slices=1162531, decompressed_slices=477606, duration.command.search.index=12823, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83872, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13181431, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:52:23.216, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894260_59960', total_run_time=26.39, event_count=0, result_count=0, available_count=0, scan_count=31553331, drop_count=0, exec_time=1654894309, api_et=1654879860.000000000, api_lt=1654894260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879860.000000000, search_lt=1654894260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2575", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31553331, total_slices=1160645, decompressed_slices=477708, duration.command.search.index=12178, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80945, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13185627, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:51:40.507, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894200_59936', total_run_time=41.33, event_count=0, result_count=0, available_count=0, scan_count=31566155, drop_count=0, exec_time=1654894249, api_et=1654879800.000000000, api_lt=1654894200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879800.000000000, search_lt=1654894200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31566155, total_slices=1184596, decompressed_slices=477944, duration.command.search.index=14360, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85810, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13191059, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:51:39.485, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894080_59892', total_run_time=31.75, event_count=0, result_count=0, available_count=0, scan_count=31583790, drop_count=0, exec_time=1654894129, api_et=1654879680.000000000, api_lt=1654894080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879680.000000000, search_lt=1654894080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31583790, total_slices=1180628, decompressed_slices=478106, duration.command.search.index=13088, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83579, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13199716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:51:38.897, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894140_59913', total_run_time=27.51, event_count=0, result_count=0, available_count=0, scan_count=31575906, drop_count=0, exec_time=1654894190, api_et=1654879740.000000000, api_lt=1654894140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879740.000000000, search_lt=1654894140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31575906, total_slices=1182591, decompressed_slices=478111, duration.command.search.index=12181, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93655, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13196926, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:48:37.091, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654894020_59876', total_run_time=26.67, event_count=0, result_count=0, available_count=0, scan_count=31588243, drop_count=0, exec_time=1654894069, api_et=1654879620.000000000, api_lt=1654894020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879620.000000000, search_lt=1654894020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31588243, total_slices=1178487, decompressed_slices=478196, duration.command.search.index=12137, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85830, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13203186, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:47:36.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893960_59855', total_run_time=28.66, event_count=0, result_count=0, available_count=0, scan_count=31591557, drop_count=0, exec_time=1654894009, api_et=1654879560.000000000, api_lt=1654893960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879560.000000000, search_lt=1654893960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31591557, total_slices=1176675, decompressed_slices=478205, duration.command.search.index=12227, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86564, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13208169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:46:37.042, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893900_59837', total_run_time=17.13, event_count=0, result_count=0, available_count=0, scan_count=31603502, drop_count=0, exec_time=1654893949, api_et=1654879500.000000000, api_lt=1654893900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879500.000000000, search_lt=1654893900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31603502, total_slices=1174882, decompressed_slices=478302, duration.command.search.index=11257, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77778, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13214402, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:45:36.868, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893840_59815', total_run_time=16.55, event_count=0, result_count=0, available_count=0, scan_count=31613351, drop_count=0, exec_time=1654893890, api_et=1654879440.000000000, api_lt=1654893840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879440.000000000, search_lt=1654893840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3091", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31613351, total_slices=1172787, decompressed_slices=478370, duration.command.search.index=11237, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78277, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13223250, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:44:37.046, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893780_59794', total_run_time=19.92, event_count=0, result_count=0, available_count=0, scan_count=31622128, drop_count=0, exec_time=1654893829, api_et=1654879380.000000000, api_lt=1654893780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879380.000000000, search_lt=1654893780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31622128, total_slices=1170903, decompressed_slices=478447, duration.command.search.index=11320, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77464, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13227267, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:44:07.005, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654893780_59791', total_run_time=23.58, event_count=0, result_count=0, available_count=0, scan_count=3572, drop_count=0, exec_time=1654893818, api_et=1654890180.000000000, api_lt=1654893780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654890180.000000000, search_lt=1654893820.049786000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e72a7a1f41f76d33", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=3572, total_slices=917255, decompressed_slices=1308, duration.command.search.index=1215, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5098, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:43:36.978, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893720_59767', total_run_time=18.74, event_count=0, result_count=0, available_count=0, scan_count=31630624, drop_count=0, exec_time=1654893769, api_et=1654879320.000000000, api_lt=1654893720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879320.000000000, search_lt=1654893720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31630624, total_slices=1168937, decompressed_slices=478507, duration.command.search.index=12039, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79830, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13232490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:42:36.942, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893660_59744', total_run_time=23.12, event_count=0, result_count=0, available_count=0, scan_count=31640502, drop_count=0, exec_time=1654893709, api_et=1654879260.000000000, api_lt=1654893660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879260.000000000, search_lt=1654893660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2557", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31640502, total_slices=1166990, decompressed_slices=478609, duration.command.search.index=11640, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80828, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13236694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:41:24.976, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893600_59719', total_run_time=19.88, event_count=0, result_count=0, available_count=0, scan_count=31648917, drop_count=0, exec_time=1654893649, api_et=1654879200.000000000, api_lt=1654893600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879200.000000000, search_lt=1654893600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31648917, total_slices=1165205, decompressed_slices=478806, duration.command.search.index=12826, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82642, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13242546, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:41:00.477, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893540_59697', total_run_time=18.29, event_count=0, result_count=0, available_count=0, scan_count=31655209, drop_count=0, exec_time=1654893590, api_et=1654879140.000000000, api_lt=1654893540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879140.000000000, search_lt=1654893540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=31655209, total_slices=1163227, decompressed_slices=478958, duration.command.search.index=11704, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80755, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13247773, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:41:00.066, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893480_59681', total_run_time=16.80, event_count=0, result_count=0, available_count=0, scan_count=31661868, drop_count=0, exec_time=1654893530, api_et=1654879080.000000000, api_lt=1654893480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879080.000000000, search_lt=1654893480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31661868, total_slices=1161067, decompressed_slices=479076, duration.command.search.index=11975, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77638, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13251156, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:38:20.355, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893420_59667', total_run_time=16.75, event_count=0, result_count=0, available_count=0, scan_count=31671275, drop_count=0, exec_time=1654893469, api_et=1654879020.000000000, api_lt=1654893420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879020.000000000, search_lt=1654893420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31671275, total_slices=1159165, decompressed_slices=479150, duration.command.search.index=11888, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73776, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13256642, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:37:20.478, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893360_59652', total_run_time=15.99, event_count=0, result_count=0, available_count=0, scan_count=31678629, drop_count=0, exec_time=1654893410, api_et=1654878960.000000000, api_lt=1654893360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878960.000000000, search_lt=1654893360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31678629, total_slices=1157103, decompressed_slices=479289, duration.command.search.index=11539, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74734, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13261290, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:36:20.561, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893300_59642', total_run_time=17.30, event_count=0, result_count=0, available_count=0, scan_count=31687747, drop_count=0, exec_time=1654893350, api_et=1654878900.000000000, api_lt=1654893300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878900.000000000, search_lt=1654893300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31687747, total_slices=1155162, decompressed_slices=479350, duration.command.search.index=11670, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76214, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13267540, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:35:36.356, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893240_59621', total_run_time=18.50, event_count=0, result_count=0, available_count=0, scan_count=31693476, drop_count=0, exec_time=1654893289, api_et=1654878840.000000000, api_lt=1654893240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878840.000000000, search_lt=1654893240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31693476, total_slices=1153254, decompressed_slices=479529, duration.command.search.index=11989, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78547, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13273679, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:35:08.434, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654893180_59571', total_run_time=80.62, event_count=0, result_count=0, available_count=0, scan_count=42312409, drop_count=0, exec_time=1654893205, api_et=1654889580.000000000, api_lt=1654893180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654889580.000000000, search_lt=1654893207.501033000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5cda67de5a1f9fa0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1889, eliminated_buckets=134, considered_events=42312409, total_slices=14712250, decompressed_slices=4414292, duration.command.search.index=18258, invocations.command.search.index.bucketcache.hit=1889, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=310542, invocations.command.search.rawdata.bucketcache.hit=348, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:35:07.777, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893180_59585', total_run_time=21.74, event_count=0, result_count=0, available_count=0, scan_count=31702356, drop_count=0, exec_time=1654893229, api_et=1654878780.000000000, api_lt=1654893180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878780.000000000, search_lt=1654893180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=31702356, total_slices=1151179, decompressed_slices=479544, duration.command.search.index=14785, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88732, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13278609, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:33:38.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893120_59549', total_run_time=33.06, event_count=0, result_count=0, available_count=0, scan_count=31702991, drop_count=0, exec_time=1654893169, api_et=1654878720.000000000, api_lt=1654893120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878720.000000000, search_lt=1654893120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=31702991, total_slices=1175241, decompressed_slices=479520, duration.command.search.index=14316, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96717, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13283190, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:32:38.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893060_59519', total_run_time=26.43, event_count=0, result_count=0, available_count=0, scan_count=31684939, drop_count=0, exec_time=1654893109, api_et=1654878660.000000000, api_lt=1654893060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878660.000000000, search_lt=1654893060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=31684939, total_slices=1173289, decompressed_slices=479425, duration.command.search.index=12906, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98575, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13287844, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:31:38.836, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654893000_59491', total_run_time=32.41, event_count=0, result_count=0, available_count=0, scan_count=31661197, drop_count=0, exec_time=1654893049, api_et=1654878600.000000000, api_lt=1654893000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878600.000000000, search_lt=1654893000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3194", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=31661197, total_slices=1223160, decompressed_slices=479393, duration.command.search.index=14789, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101152, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13292635, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:30:30.550, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892940_59463', total_run_time=29.68, event_count=0, result_count=0, available_count=0, scan_count=31645274, drop_count=0, exec_time=1654892989, api_et=1654878540.000000000, api_lt=1654892940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878540.000000000, search_lt=1654892940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=31645274, total_slices=1220559, decompressed_slices=479332, duration.command.search.index=11419, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91639, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13301115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:29:59.613, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892880_59450', total_run_time=18.22, event_count=0, result_count=0, available_count=0, scan_count=31624004, drop_count=0, exec_time=1654892929, api_et=1654878480.000000000, api_lt=1654892880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878480.000000000, search_lt=1654892880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=31624004, total_slices=1218514, decompressed_slices=479261, duration.command.search.index=11826, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78370, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13306189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:28:38.967, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892820_59436', total_run_time=24.33, event_count=0, result_count=0, available_count=0, scan_count=31600879, drop_count=0, exec_time=1654892870, api_et=1654878420.000000000, api_lt=1654892820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878420.000000000, search_lt=1654892820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=31600879, total_slices=1216320, decompressed_slices=479119, duration.command.search.index=12503, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84865, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13311687, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:27:39.154, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892760_59412', total_run_time=25.63, event_count=0, result_count=0, available_count=0, scan_count=31580138, drop_count=0, exec_time=1654892810, api_et=1654878360.000000000, api_lt=1654892760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878360.000000000, search_lt=1654892760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31580138, total_slices=1240208, decompressed_slices=478979, duration.command.search.index=13398, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89456, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13315668, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:26:38.814, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892700_59391', total_run_time=19.34, event_count=0, result_count=0, available_count=0, scan_count=31564169, drop_count=0, exec_time=1654892749, api_et=1654878300.000000000, api_lt=1654892700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878300.000000000, search_lt=1654892700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31564169, total_slices=1237962, decompressed_slices=478964, duration.command.search.index=12326, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77573, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13320774, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:25:08.779, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892640_59377', total_run_time=16.57, event_count=0, result_count=0, available_count=0, scan_count=31547096, drop_count=0, exec_time=1654892689, api_et=1654878240.000000000, api_lt=1654892640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878240.000000000, search_lt=1654892640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2570", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31547096, total_slices=1235690, decompressed_slices=478928, duration.command.search.index=11540, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74577, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13326468, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:24:37.096, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892580_59359', total_run_time=17.89, event_count=0, result_count=0, available_count=0, scan_count=31529105, drop_count=0, exec_time=1654892630, api_et=1654878180.000000000, api_lt=1654892580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878180.000000000, search_lt=1654892580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31529105, total_slices=1233505, decompressed_slices=478862, duration.command.search.index=11644, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72651, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13329940, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:23:39.062, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892520_59327', total_run_time=25.57, event_count=0, result_count=0, available_count=0, scan_count=31511998, drop_count=0, exec_time=1654892569, api_et=1654878120.000000000, api_lt=1654892520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878120.000000000, search_lt=1654892520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5450", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31511998, total_slices=1230688, decompressed_slices=478714, duration.command.search.index=11898, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78627, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13333266, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:22:38.953, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892460_59311', total_run_time=25.46, event_count=0, result_count=0, available_count=0, scan_count=31496215, drop_count=0, exec_time=1654892510, api_et=1654878060.000000000, api_lt=1654892460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878060.000000000, search_lt=1654892460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31496215, total_slices=1229122, decompressed_slices=478562, duration.command.search.index=12525, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81745, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13339611, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:21:38.994, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892400_59283', total_run_time=24.70, event_count=0, result_count=0, available_count=0, scan_count=31476117, drop_count=0, exec_time=1654892449, api_et=1654878000.000000000, api_lt=1654892400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878000.000000000, search_lt=1654892400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31476117, total_slices=1227019, decompressed_slices=478428, duration.command.search.index=13238, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85499, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13344141, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:20:28.828, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892340_59259', total_run_time=24.27, event_count=0, result_count=0, available_count=0, scan_count=31455706, drop_count=0, exec_time=1654892389, api_et=1654877940.000000000, api_lt=1654892340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877940.000000000, search_lt=1654892340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31455706, total_slices=1224622, decompressed_slices=478366, duration.command.search.index=12721, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92081, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13348088, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:20:28.441, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892280_59234', total_run_time=21.50, event_count=0, result_count=0, available_count=0, scan_count=31435713, drop_count=0, exec_time=1654892329, api_et=1654877880.000000000, api_lt=1654892280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877880.000000000, search_lt=1654892280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2999", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31435713, total_slices=1222400, decompressed_slices=478246, duration.command.search.index=13006, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84868, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13353917, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:18:25.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892220_59214', total_run_time=20.37, event_count=0, result_count=0, available_count=0, scan_count=31410854, drop_count=0, exec_time=1654892270, api_et=1654877820.000000000, api_lt=1654892220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877820.000000000, search_lt=1654892220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2949", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31410854, total_slices=1220232, decompressed_slices=478049, duration.command.search.index=12041, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81626, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13354348, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:17:25.446, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892160_59191', total_run_time=23.75, event_count=0, result_count=0, available_count=0, scan_count=31384415, drop_count=0, exec_time=1654892209, api_et=1654877760.000000000, api_lt=1654892160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877760.000000000, search_lt=1654892160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31384415, total_slices=1217705, decompressed_slices=477951, duration.command.search.index=12771, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84364, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13353452, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:16:55.291, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892100_59174', total_run_time=35.69, event_count=0, result_count=0, available_count=0, scan_count=31364761, drop_count=0, exec_time=1654892150, api_et=1654877700.000000000, api_lt=1654892100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877700.000000000, search_lt=1654892100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3063", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31364761, total_slices=1215836, decompressed_slices=477797, duration.command.search.index=13775, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98485, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13355908, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:16:25.263, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654892160_59185', total_run_time=10.88, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654892171, api_et=1654887960.000000000, api_lt=1654891560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654888560.000000000, search_lt=1654892173.281671000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0a85b2d6ca1a6c07", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1057, eliminated_buckets=371, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=893, invocations.command.search.index.bucketcache.hit=1057, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:15:25.249, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654892040_59155', total_run_time=31.27, event_count=0, result_count=0, available_count=0, scan_count=31342831, drop_count=0, exec_time=1654892089, api_et=1654877640.000000000, api_lt=1654892040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877640.000000000, search_lt=1654892040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31342831, total_slices=1213511, decompressed_slices=477710, duration.command.search.index=12397, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84062, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13356711, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:14:46.583, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654892040_59141', total_run_time=4.61, event_count=0, result_count=0, available_count=0, scan_count=14766, drop_count=0, exec_time=1654892063, api_et=1654888440.000000000, api_lt=1654892040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654888440.000000000, search_lt=1654892064.999854000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2956", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=291, considered_events=14884, total_slices=770435, decompressed_slices=3847, duration.command.search.index=1302, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5955, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=432, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1100, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=251, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=26, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=346, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=20, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 20:14:46.508, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891980_59131', total_run_time=15.30, event_count=0, result_count=0, available_count=0, scan_count=31320420, drop_count=0, exec_time=1654892029, api_et=1654877580.000000000, api_lt=1654891980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877580.000000000, search_lt=1654891980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31320420, total_slices=1211318, decompressed_slices=477662, duration.command.search.index=11149, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78005, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13356891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:13:25.182, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891920_59105', total_run_time=17.24, event_count=0, result_count=0, available_count=0, scan_count=31295792, drop_count=0, exec_time=1654891969, api_et=1654877520.000000000, api_lt=1654891920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877520.000000000, search_lt=1654891920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31295792, total_slices=1209062, decompressed_slices=477568, duration.command.search.index=11799, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77978, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13356260, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:12:25.303, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891860_59087', total_run_time=19.72, event_count=0, result_count=0, available_count=0, scan_count=31262526, drop_count=0, exec_time=1654891909, api_et=1654877460.000000000, api_lt=1654891860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877460.000000000, search_lt=1654891860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31262526, total_slices=1206997, decompressed_slices=477327, duration.command.search.index=11551, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79510, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13350693, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:11:24.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891680_59027', total_run_time=18.86, event_count=0, result_count=0, available_count=0, scan_count=31191434, drop_count=0, exec_time=1654891730, api_et=1654877280.000000000, api_lt=1654891680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877280.000000000, search_lt=1654891680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31191434, total_slices=1200266, decompressed_slices=476931, duration.command.search.index=12279, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82828, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13357122, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:11:24.117, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891740_59043', total_run_time=20.57, event_count=0, result_count=0, available_count=0, scan_count=31212694, drop_count=0, exec_time=1654891790, api_et=1654877340.000000000, api_lt=1654891740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877340.000000000, search_lt=1654891740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31212694, total_slices=1202508, decompressed_slices=477069, duration.command.search.index=11777, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91027, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13354173, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:11:23.702, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891800_59062', total_run_time=20.21, event_count=0, result_count=0, available_count=0, scan_count=31233737, drop_count=0, exec_time=1654891850, api_et=1654877400.000000000, api_lt=1654891800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877400.000000000, search_lt=1654891800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31233737, total_slices=1204631, decompressed_slices=477066, duration.command.search.index=12255, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78782, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13351001, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:11:23.494, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654891860_59070', total_run_time=5.60, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654891865, api_et=1654888260.000000000, api_lt=1654891860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654888260.000000000, search_lt=1654891867.683599000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3064", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_91e657c6e757cc81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=52, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:11:23.477, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654891740_59035', total_run_time=18.01, event_count=0, result_count=0, available_count=0, scan_count=3769606, drop_count=0, exec_time=1654891745, api_et=1654887540.000000000, api_lt=1654891140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654887540.000000000, search_lt=1654891140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e8fbc9d23c0b0c84", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=816, eliminated_buckets=389, considered_events=3769606, total_slices=1038601, decompressed_slices=178342, duration.command.search.index=1607, invocations.command.search.index.bucketcache.hit=816, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29101, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:08:23.122, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891620_59010', total_run_time=19.40, event_count=0, result_count=0, available_count=0, scan_count=31168602, drop_count=0, exec_time=1654891669, api_et=1654877220.000000000, api_lt=1654891620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877220.000000000, search_lt=1654891620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31168602, total_slices=1198037, decompressed_slices=476912, duration.command.search.index=12932, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85345, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13359244, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:08:22.834, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654891620_59019', total_run_time=16.90, event_count=1191, result_count=66, available_count=0, scan_count=506640, drop_count=0, exec_time=1654891684, api_et=1654888020.000000000, api_lt=1654891620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654888020.000000000, search_lt=1654891686.392427000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=515299, total_slices=697071, decompressed_slices=118218, duration.command.search.index=4101, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37480, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=405923, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39862, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 20:07:53.230, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654891620_59005', total_run_time=4.92, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654891646, api_et=1654888020.000000000, api_lt=1654891620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654888020.000000000, search_lt=1654891648.353468000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bbd2e2c62aaab593", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=3, total_slices=19937, decompressed_slices=3, duration.command.search.index=748, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=391, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 20:07:09.340, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891560_58990', total_run_time=17.93, event_count=0, result_count=0, available_count=0, scan_count=31142639, drop_count=0, exec_time=1654891609, api_et=1654877160.000000000, api_lt=1654891560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877160.000000000, search_lt=1654891560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31142639, total_slices=1195858, decompressed_slices=476705, duration.command.search.index=11645, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80692, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13357351, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:06:40.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891380_58918', total_run_time=29.02, event_count=0, result_count=0, available_count=0, scan_count=31067463, drop_count=0, exec_time=1654891429, api_et=1654876980.000000000, api_lt=1654891380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654876980.000000000, search_lt=1654891380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31067463, total_slices=1189091, decompressed_slices=476222, duration.command.search.index=15572, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=122456, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13357160, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:06:39.995, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891500_58976', total_run_time=20.83, event_count=0, result_count=0, available_count=0, scan_count=31118912, drop_count=0, exec_time=1654891550, api_et=1654877100.000000000, api_lt=1654891500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877100.000000000, search_lt=1654891500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31118912, total_slices=1193745, decompressed_slices=476533, duration.command.search.index=13134, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85514, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13358380, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:06:38.991, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891440_58959', total_run_time=23.01, event_count=0, result_count=0, available_count=0, scan_count=31092430, drop_count=0, exec_time=1654891490, api_et=1654877040.000000000, api_lt=1654891440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877040.000000000, search_lt=1654891440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31092430, total_slices=1191248, decompressed_slices=476415, duration.command.search.index=14222, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107439, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13358753, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:03:24.987, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891320_58873', total_run_time=27.33, event_count=0, result_count=0, available_count=0, scan_count=31042352, drop_count=0, exec_time=1654891369, api_et=1654876920.000000000, api_lt=1654891320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654876920.000000000, search_lt=1654891320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2622", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31042352, total_slices=1186757, decompressed_slices=475967, duration.command.search.index=15744, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=125761, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13358653, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:02:25.154, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891260_58843', total_run_time=25.24, event_count=0, result_count=0, available_count=0, scan_count=31015748, drop_count=0, exec_time=1654891310, api_et=1654876860.000000000, api_lt=1654891260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654876860.000000000, search_lt=1654891260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=31015748, total_slices=1184383, decompressed_slices=475751, duration.command.search.index=14669, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111769, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13356754, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 20:01:24.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654891200_58813', total_run_time=30.79, event_count=0, result_count=0, available_count=0, scan_count=30988628, drop_count=0, exec_time=1654891249, api_et=1654876800.000000000, api_lt=1654891200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654876800.000000000, search_lt=1654891200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=30988628, total_slices=1182035, decompressed_slices=475636, duration.command.search.index=15383, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=139016, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13354216, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 19:44:23.118, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654890180_58529', total_run_time=22.09, event_count=0, result_count=0, available_count=0, scan_count=3442, drop_count=0, exec_time=1654890218, api_et=1654886580.000000000, api_lt=1654890180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654886580.000000000, search_lt=1654890220.471718000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3001", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2bdf495da42d86c2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=3442, total_slices=836112, decompressed_slices=1367, duration.command.search.index=1152, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4984, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 19:34:57.311, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654889580_58324', total_run_time=79.93, event_count=0, result_count=0, available_count=0, scan_count=42058545, drop_count=0, exec_time=1654889605, api_et=1654885980.000000000, api_lt=1654889580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654885980.000000000, search_lt=1654889607.152065000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3338", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f34994a99e02e40b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1882, eliminated_buckets=134, considered_events=42058545, total_slices=14861765, decompressed_slices=4360399, duration.command.search.index=16061, invocations.command.search.index.bucketcache.hit=1882, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=254111, invocations.command.search.rawdata.bucketcache.hit=339, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 19:16:43.001, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654888560_57987', total_run_time=29.65, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654888571, api_et=1654884360.000000000, api_lt=1654887960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654884960.000000000, search_lt=1654888572.945239000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3253", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f036cb08c6c9d558", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=372, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=860, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 19:15:29.944, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654888440_57947', total_run_time=5.13, event_count=0, result_count=0, available_count=0, scan_count=22105, drop_count=0, exec_time=1654888463, api_et=1654884840.000000000, api_lt=1654888440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654884840.000000000, search_lt=1654888464.908732000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=281, considered_events=22599, total_slices=798695, decompressed_slices=4982, duration.command.search.index=1504, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6167, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=66, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=408, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1220, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=268, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=32, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=251, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 19:11:34.066, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654888260_57882', total_run_time=4.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654888265, api_et=1654884660.000000000, api_lt=1654888260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654884660.000000000, search_lt=1654888267.117348000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2819", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_41a44ccacef80579", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=43, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 19:09:44.342, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654888140_57849', total_run_time=22.04, event_count=2, result_count=1, available_count=0, scan_count=3786354, drop_count=0, exec_time=1654888145, api_et=1654883940.000000000, api_lt=1654887540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654883940.000000000, search_lt=1654887540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3559", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5094fa74e35fda26", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=819, eliminated_buckets=391, considered_events=3786354, total_slices=1091071, decompressed_slices=185499, duration.command.search.index=1654, invocations.command.search.index.bucketcache.hit=819, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30381, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 19:08:30.987, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654888020_57831', total_run_time=16.54, event_count=1367, result_count=72, available_count=0, scan_count=530180, drop_count=0, exec_time=1654888080, api_et=1654884420.000000000, api_lt=1654888020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654884420.000000000, search_lt=1654888082.397248000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=199, considered_events=537028, total_slices=657070, decompressed_slices=138105, duration.command.search.index=4344, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41348, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=425251, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38680, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 19:08:00.962, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654888020_57826', total_run_time=5.82, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654888046, api_et=1654884420.000000000, api_lt=1654888020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654884420.000000000, search_lt=1654888048.757058000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_55cf8b1d8d3adc47", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=199, considered_events=3, total_slices=22600, decompressed_slices=3, duration.command.search.index=977, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=470, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:45:00.969, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654886580_57354', total_run_time=24.31, event_count=0, result_count=0, available_count=0, scan_count=3074, drop_count=0, exec_time=1654886618, api_et=1654882980.000000000, api_lt=1654886580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654882980.000000000, search_lt=1654886620.723708000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2980", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9852de898d43fdf0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=3074, total_slices=792524, decompressed_slices=991, duration.command.search.index=1127, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4866, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:36:34.834, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654885980_57144', total_run_time=49.89, event_count=0, result_count=0, available_count=0, scan_count=42262386, drop_count=0, exec_time=1654886005, api_et=1654882380.000000000, api_lt=1654885980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654882380.000000000, search_lt=1654886007.704806000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cac569f1ff1f6e96", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1867, eliminated_buckets=134, considered_events=42262386, total_slices=14663314, decompressed_slices=4367357, duration.command.search.index=15436, invocations.command.search.index.bucketcache.hit=1867, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=247064, invocations.command.search.rawdata.bucketcache.hit=325, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:16:40.684, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654884960_56791', total_run_time=8.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654884970, api_et=1654880760.000000000, api_lt=1654884360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654881360.000000000, search_lt=1654884972.357969000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3216", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_431ca28d270365dc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=373, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1041, invocations.command.search.index.bucketcache.hit=1061, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:15:27.312, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654884840_56751', total_run_time=4.55, event_count=0, result_count=0, available_count=0, scan_count=22282, drop_count=0, exec_time=1654884863, api_et=1654881240.000000000, api_lt=1654884840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654881240.000000000, search_lt=1654884865.210138000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=283, considered_events=23911, total_slices=721596, decompressed_slices=4764, duration.command.search.index=1313, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6266, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=434, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1202, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=277, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=277, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 18:11:27.493, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654884660_56683', total_run_time=5.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654884665, api_et=1654881060.000000000, api_lt=1654884660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654881060.000000000, search_lt=1654884667.334518000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3257", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc74deabe9787798", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=48, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:09:55.602, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654884540_56650', total_run_time=23.90, event_count=0, result_count=0, available_count=0, scan_count=3784636, drop_count=0, exec_time=1654884546, api_et=1654880340.000000000, api_lt=1654883940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880340.000000000, search_lt=1654883940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aab4c1d98917fc53", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=809, eliminated_buckets=386, considered_events=3784636, total_slices=1061392, decompressed_slices=182282, duration.command.search.index=1646, invocations.command.search.index.bucketcache.hit=805, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30491, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 18:08:27.551, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654884420_56635', total_run_time=20.27, event_count=3577, result_count=62, available_count=0, scan_count=548552, drop_count=0, exec_time=1654884484, api_et=1654880820.000000000, api_lt=1654884420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880820.000000000, search_lt=1654884486.418129000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=201, considered_events=554275, total_slices=639706, decompressed_slices=133098, duration.command.search.index=3835, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40254, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=438373, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=37582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 18:07:57.475, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654884420_56625', total_run_time=6.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654884446, api_et=1654880820.000000000, api_lt=1654884420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654880820.000000000, search_lt=1654884448.135823000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_65b6905c23285da7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=892, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:46:01.182, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654882980_56162', total_run_time=22.55, event_count=0, result_count=0, available_count=0, scan_count=3541, drop_count=0, exec_time=1654883018, api_et=1654879380.000000000, api_lt=1654882980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654879380.000000000, search_lt=1654883020.178167000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2950", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4c339cfb06d39d5f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=3541, total_slices=638974, decompressed_slices=1147, duration.command.search.index=1163, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4886, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:38:04.448, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654882380_55957', total_run_time=60.74, event_count=0, result_count=0, available_count=0, scan_count=42047571, drop_count=0, exec_time=1654882405, api_et=1654878780.000000000, api_lt=1654882380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654878780.000000000, search_lt=1654882407.251070000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b50670f0e52e717", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1874, eliminated_buckets=133, considered_events=42047571, total_slices=14534159, decompressed_slices=4341714, duration.command.search.index=15508, invocations.command.search.index.bucketcache.hit=1874, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=259978, invocations.command.search.rawdata.bucketcache.hit=320, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:16:43.051, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654881360_55621', total_run_time=17.06, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654881370, api_et=1654877160.000000000, api_lt=1654880760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877760.000000000, search_lt=1654881372.496813000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3332", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_32851da40a9a0988", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1057, eliminated_buckets=370, considered_events=1, total_slices=11100, decompressed_slices=1, duration.command.search.index=2155, invocations.command.search.index.bucketcache.hit=1057, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=443, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:14:43.333, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654881240_55580', total_run_time=5.84, event_count=0, result_count=0, available_count=0, scan_count=14649, drop_count=0, exec_time=1654881262, api_et=1654877640.000000000, api_lt=1654881240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877640.000000000, search_lt=1654881264.929944000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2932", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=278, considered_events=14914, total_slices=606603, decompressed_slices=4162, duration.command.search.index=1225, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6196, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=92, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=452, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1244, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=289, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=305, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=330, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=11, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 17:11:12.985, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654881060_55516', total_run_time=4.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654881065, api_et=1654877460.000000000, api_lt=1654881060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877460.000000000, search_lt=1654881067.553679000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_237d9d6c8f10484a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:10:29.430, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654880940_55484', total_run_time=16.27, event_count=0, result_count=0, available_count=0, scan_count=3796770, drop_count=0, exec_time=1654880946, api_et=1654876740.000000000, api_lt=1654880340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654876740.000000000, search_lt=1654880340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3179", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5a163bb58b357abb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=805, eliminated_buckets=378, considered_events=3796770, total_slices=1053152, decompressed_slices=178112, duration.command.search.index=1676, invocations.command.search.index.bucketcache.hit=803, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30185, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:08:42.313, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654880820_55465', total_run_time=18.37, event_count=1323, result_count=66, available_count=0, scan_count=572096, drop_count=0, exec_time=1654880880, api_et=1654877220.000000000, api_lt=1654880820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877220.000000000, search_lt=1654880882.003846000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2564", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=200, considered_events=578446, total_slices=573059, decompressed_slices=140651, duration.command.search.index=4286, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40708, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=452455, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40608, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 17:07:42.318, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654880820_55459', total_run_time=6.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654880846, api_et=1654877220.000000000, api_lt=1654880820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654877220.000000000, search_lt=1654880848.257531000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2970", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_deb9210642a85934", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1053, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 17:00:23.220, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880340_55259', total_run_time=16.94, event_count=0, result_count=0, available_count=0, scan_count=24457434, drop_count=0, exec_time=1654880390, api_et=1654865940.000000000, api_lt=1654880340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865940.000000000, search_lt=1654880340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24457434, total_slices=1300716, decompressed_slices=418438, duration.command.search.index=8820, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64327, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12580369, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 17:00:06.139, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880280_55246', total_run_time=20.88, event_count=0, result_count=0, available_count=0, scan_count=24429359, drop_count=0, exec_time=1654880329, api_et=1654865880.000000000, api_lt=1654880280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865880.000000000, search_lt=1654880280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2550", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24429359, total_slices=1298586, decompressed_slices=418149, duration.command.search.index=9174, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61843, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12573989, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:58:13.544, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880220_55230', total_run_time=20.14, event_count=0, result_count=0, available_count=0, scan_count=24401644, drop_count=0, exec_time=1654880270, api_et=1654865820.000000000, api_lt=1654880220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865820.000000000, search_lt=1654880220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=24401644, total_slices=1322746, decompressed_slices=417883, duration.command.search.index=9749, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67328, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12566769, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:57:12.665, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880160_55211', total_run_time=16.10, event_count=0, result_count=0, available_count=0, scan_count=24380816, drop_count=0, exec_time=1654880209, api_et=1654865760.000000000, api_lt=1654880160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865760.000000000, search_lt=1654880160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=24380816, total_slices=1320953, decompressed_slices=417637, duration.command.search.index=8910, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61230, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12560628, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:56:14.267, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880100_55200', total_run_time=16.66, event_count=0, result_count=0, available_count=0, scan_count=24359037, drop_count=0, exec_time=1654880149, api_et=1654865700.000000000, api_lt=1654880100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865700.000000000, search_lt=1654880100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3271", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24359037, total_slices=1318883, decompressed_slices=417411, duration.command.search.index=9563, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66773, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12555112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:55:12.775, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654880040_55184', total_run_time=13.53, event_count=0, result_count=0, available_count=0, scan_count=24328740, drop_count=0, exec_time=1654880089, api_et=1654865640.000000000, api_lt=1654880040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865640.000000000, search_lt=1654880040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24328740, total_slices=1316924, decompressed_slices=417062, duration.command.search.index=8703, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58352, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12547236, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:54:12.592, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879980_55167', total_run_time=14.32, event_count=0, result_count=0, available_count=0, scan_count=24303900, drop_count=0, exec_time=1654880029, api_et=1654865580.000000000, api_lt=1654879980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865580.000000000, search_lt=1654879980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24303900, total_slices=1314738, decompressed_slices=416770, duration.command.search.index=8648, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59434, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12542022, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:53:12.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879920_55143', total_run_time=16.89, event_count=0, result_count=0, available_count=0, scan_count=24279372, drop_count=0, exec_time=1654879970, api_et=1654865520.000000000, api_lt=1654879920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865520.000000000, search_lt=1654879920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3113", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24279372, total_slices=1312698, decompressed_slices=416437, duration.command.search.index=9806, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69795, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12535456, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:52:12.597, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879860_55126', total_run_time=14.01, event_count=0, result_count=0, available_count=0, scan_count=24254636, drop_count=0, exec_time=1654879909, api_et=1654865460.000000000, api_lt=1654879860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865460.000000000, search_lt=1654879860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24254636, total_slices=1310616, decompressed_slices=416174, duration.command.search.index=8847, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59921, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12528962, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:51:13.986, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879800_55102', total_run_time=15.09, event_count=0, result_count=0, available_count=0, scan_count=24227017, drop_count=0, exec_time=1654879849, api_et=1654865400.000000000, api_lt=1654879800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865400.000000000, search_lt=1654879800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2611", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24227017, total_slices=1308604, decompressed_slices=415710, duration.command.search.index=9502, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66738, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12521144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:50:42.824, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879740_55079', total_run_time=27.99, event_count=0, result_count=0, available_count=0, scan_count=24196450, drop_count=0, exec_time=1654879790, api_et=1654865340.000000000, api_lt=1654879740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865340.000000000, search_lt=1654879740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=24196450, total_slices=1332398, decompressed_slices=415331, duration.command.search.index=8928, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66083, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12512905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:49:33.775, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879680_55056', total_run_time=20.82, event_count=0, result_count=0, available_count=0, scan_count=24169555, drop_count=0, exec_time=1654879729, api_et=1654865280.000000000, api_lt=1654879680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865280.000000000, search_lt=1654879680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=24169555, total_slices=1330297, decompressed_slices=415017, duration.command.search.index=9096, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63405, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12507993, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:48:13.525, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879620_55040', total_run_time=18.98, event_count=0, result_count=0, available_count=0, scan_count=24145418, drop_count=0, exec_time=1654879670, api_et=1654865220.000000000, api_lt=1654879620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865220.000000000, search_lt=1654879620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=1, considered_events=24145418, total_slices=1328233, decompressed_slices=414690, duration.command.search.index=8741, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61057, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12501742, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:47:12.733, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879560_55018', total_run_time=13.31, event_count=0, result_count=0, available_count=0, scan_count=24120901, drop_count=0, exec_time=1654879609, api_et=1654865160.000000000, api_lt=1654879560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865160.000000000, search_lt=1654879560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2643", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=1, considered_events=24120901, total_slices=1326142, decompressed_slices=414446, duration.command.search.index=8200, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59630, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12493107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:46:13.734, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879500_55000', total_run_time=13.78, event_count=0, result_count=0, available_count=0, scan_count=24090671, drop_count=0, exec_time=1654879550, api_et=1654865100.000000000, api_lt=1654879500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865100.000000000, search_lt=1654879500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24090671, total_slices=1324163, decompressed_slices=413985, duration.command.search.index=8174, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61975, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12482832, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:45:13.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879440_54978', total_run_time=15.73, event_count=0, result_count=0, available_count=0, scan_count=24065310, drop_count=0, exec_time=1654879490, api_et=1654865040.000000000, api_lt=1654879440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865040.000000000, search_lt=1654879440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3207", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24065310, total_slices=1322015, decompressed_slices=413666, duration.command.search.index=8621, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63125, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12471511, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:44:32.165, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654879380_54954', total_run_time=21.94, event_count=0, result_count=0, available_count=0, scan_count=2414, drop_count=0, exec_time=1654879418, api_et=1654875780.000000000, api_lt=1654879380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654875780.000000000, search_lt=1654879420.690026000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_75a100f2d3fef586", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=2414, total_slices=669623, decompressed_slices=881, duration.command.search.index=1106, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4758, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:44:31.097, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879380_54957', total_run_time=15.46, event_count=0, result_count=0, available_count=0, scan_count=24037974, drop_count=0, exec_time=1654879429, api_et=1654864980.000000000, api_lt=1654879380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864980.000000000, search_lt=1654879380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3041", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24037974, total_slices=1319731, decompressed_slices=413319, duration.command.search.index=8488, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62732, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12462809, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:43:12.763, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879320_54928', total_run_time=17.06, event_count=0, result_count=0, available_count=0, scan_count=24008120, drop_count=0, exec_time=1654879369, api_et=1654864920.000000000, api_lt=1654879320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864920.000000000, search_lt=1654879320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=24008120, total_slices=1317349, decompressed_slices=412990, duration.command.search.index=9183, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67213, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12450623, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:42:43.637, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879260_54905', total_run_time=32.92, event_count=0, result_count=0, available_count=0, scan_count=23980842, drop_count=0, exec_time=1654879309, api_et=1654864860.000000000, api_lt=1654879260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864860.000000000, search_lt=1654879260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=23980842, total_slices=1315934, decompressed_slices=412713, duration.command.search.index=8928, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65691, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12442633, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:41:41.409, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879080_54842', total_run_time=25.74, event_count=0, result_count=0, available_count=0, scan_count=23893226, drop_count=0, exec_time=1654879129, api_et=1654864680.000000000, api_lt=1654879080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864680.000000000, search_lt=1654879080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2822", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23893226, total_slices=1309741, decompressed_slices=411678, duration.command.search.index=8815, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63770, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12410799, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:41:39.315, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879200_54880', total_run_time=38.82, event_count=0, result_count=0, available_count=0, scan_count=23950657, drop_count=0, exec_time=1654879249, api_et=1654864800.000000000, api_lt=1654879200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864800.000000000, search_lt=1654879200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=1, considered_events=23950657, total_slices=1313877, decompressed_slices=412376, duration.command.search.index=8754, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67280, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12430678, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:41:38.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879140_54858', total_run_time=39.33, event_count=0, result_count=0, available_count=0, scan_count=23919424, drop_count=0, exec_time=1654879190, api_et=1654864740.000000000, api_lt=1654879140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864740.000000000, search_lt=1654879140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23919424, total_slices=1311819, decompressed_slices=412008, duration.command.search.index=9238, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74444, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12418665, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:38:22.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654879020_54828', total_run_time=23.97, event_count=0, result_count=0, available_count=0, scan_count=23863461, drop_count=0, exec_time=1654879070, api_et=1654864620.000000000, api_lt=1654879020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864620.000000000, search_lt=1654879020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23863461, total_slices=1307572, decompressed_slices=411206, duration.command.search.index=8590, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64105, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12401903, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:37:21.698, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878960_54813', total_run_time=22.34, event_count=0, result_count=0, available_count=0, scan_count=23833425, drop_count=0, exec_time=1654879010, api_et=1654864560.000000000, api_lt=1654878960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864560.000000000, search_lt=1654878960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2855", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23833425, total_slices=1305566, decompressed_slices=410872, duration.command.search.index=8468, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64224, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12390394, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:36:22.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878900_54803', total_run_time=24.40, event_count=0, result_count=0, available_count=0, scan_count=23801291, drop_count=0, exec_time=1654878949, api_et=1654864500.000000000, api_lt=1654878900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864500.000000000, search_lt=1654878900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23801291, total_slices=1303539, decompressed_slices=410576, duration.command.search.index=8795, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65867, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12378486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:35:51.395, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878840_54782', total_run_time=35.89, event_count=0, result_count=0, available_count=0, scan_count=23769981, drop_count=0, exec_time=1654878890, api_et=1654864440.000000000, api_lt=1654878840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864440.000000000, search_lt=1654878840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23769981, total_slices=1301430, decompressed_slices=410209, duration.command.search.index=9784, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68536, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12365461, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:35:03.267, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654878780_54732', total_run_time=43.92, event_count=0, result_count=0, available_count=0, scan_count=42068522, drop_count=0, exec_time=1654878805, api_et=1654875180.000000000, api_lt=1654878780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654875180.000000000, search_lt=1654878807.659348000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3991", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f43a8027ec1527d9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1888, eliminated_buckets=134, considered_events=42068522, total_slices=14602274, decompressed_slices=4328948, duration.command.search.index=16924, invocations.command.search.index.bucketcache.hit=1887, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=248830, invocations.command.search.rawdata.bucketcache.hit=312, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:35:02.502, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878780_54746', total_run_time=40.71, event_count=0, result_count=0, available_count=0, scan_count=23741090, drop_count=0, exec_time=1654878830, api_et=1654864380.000000000, api_lt=1654878780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864380.000000000, search_lt=1654878780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23741090, total_slices=1299082, decompressed_slices=410014, duration.command.search.index=9833, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72389, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12355429, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:33:51.801, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878720_54710', total_run_time=39.71, event_count=0, result_count=0, available_count=0, scan_count=23710811, drop_count=0, exec_time=1654878770, api_et=1654864320.000000000, api_lt=1654878720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864320.000000000, search_lt=1654878720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23710811, total_slices=1297341, decompressed_slices=409547, duration.command.search.index=10123, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86422, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12344290, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:32:51.897, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878660_54681', total_run_time=38.92, event_count=0, result_count=0, available_count=0, scan_count=23684023, drop_count=0, exec_time=1654878709, api_et=1654864260.000000000, api_lt=1654878660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864260.000000000, search_lt=1654878660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3273", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23684023, total_slices=1295181, decompressed_slices=409296, duration.command.search.index=9410, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71244, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12333501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:31:52.597, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878600_54653', total_run_time=41.88, event_count=0, result_count=0, available_count=0, scan_count=23654824, drop_count=0, exec_time=1654878649, api_et=1654864200.000000000, api_lt=1654878600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864200.000000000, search_lt=1654878600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2940", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23654824, total_slices=1293090, decompressed_slices=408889, duration.command.search.index=10432, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80284, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12321155, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:30:21.477, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878540_54624', total_run_time=22.54, event_count=0, result_count=0, available_count=0, scan_count=23618550, drop_count=0, exec_time=1654878589, api_et=1654864140.000000000, api_lt=1654878540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864140.000000000, search_lt=1654878540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23618550, total_slices=1291089, decompressed_slices=408496, duration.command.search.index=8129, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61488, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12306108, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:29:50.383, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878480_54610', total_run_time=15.64, event_count=0, result_count=0, available_count=0, scan_count=23592806, drop_count=0, exec_time=1654878529, api_et=1654864080.000000000, api_lt=1654878480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864080.000000000, search_lt=1654878480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23592806, total_slices=1288880, decompressed_slices=408246, duration.command.search.index=8585, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59762, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12296639, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:28:21.401, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878420_54596', total_run_time=21.65, event_count=0, result_count=0, available_count=0, scan_count=23562899, drop_count=0, exec_time=1654878469, api_et=1654864020.000000000, api_lt=1654878420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864020.000000000, search_lt=1654878420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23562899, total_slices=1286824, decompressed_slices=407994, duration.command.search.index=8621, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62879, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12284840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:27:21.741, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878360_54577', total_run_time=22.39, event_count=0, result_count=0, available_count=0, scan_count=23537696, drop_count=0, exec_time=1654878409, api_et=1654863960.000000000, api_lt=1654878360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863960.000000000, search_lt=1654878360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23537696, total_slices=1284836, decompressed_slices=407730, duration.command.search.index=8347, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62030, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12275322, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:26:21.524, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878300_54561', total_run_time=27.06, event_count=0, result_count=0, available_count=0, scan_count=23507192, drop_count=0, exec_time=1654878349, api_et=1654863900.000000000, api_lt=1654878300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863900.000000000, search_lt=1654878300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23507192, total_slices=1282861, decompressed_slices=407483, duration.command.search.index=8724, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63847, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12265820, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:25:18.000, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878240_54548', total_run_time=19.54, event_count=0, result_count=0, available_count=0, scan_count=23477998, drop_count=0, exec_time=1654878290, api_et=1654863840.000000000, api_lt=1654878240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863840.000000000, search_lt=1654878240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23477998, total_slices=1280887, decompressed_slices=407131, duration.command.search.index=8975, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60974, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12257608, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:25:17.555, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878180_54529', total_run_time=26.13, event_count=0, result_count=0, available_count=0, scan_count=23453976, drop_count=0, exec_time=1654878229, api_et=1654863780.000000000, api_lt=1654878180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863780.000000000, search_lt=1654878180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23453976, total_slices=1278713, decompressed_slices=406984, duration.command.search.index=8976, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64670, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12250855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:23:42.354, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878120_54496', total_run_time=30.13, event_count=0, result_count=0, available_count=0, scan_count=23424800, drop_count=0, exec_time=1654878169, api_et=1654863720.000000000, api_lt=1654878120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863720.000000000, search_lt=1654878120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23424800, total_slices=1302818, decompressed_slices=406643, duration.command.search.index=9734, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73055, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12243725, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:22:42.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878060_54480', total_run_time=35.26, event_count=0, result_count=0, available_count=0, scan_count=23400477, drop_count=0, exec_time=1654878109, api_et=1654863660.000000000, api_lt=1654878060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863660.000000000, search_lt=1654878060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23400477, total_slices=1300850, decompressed_slices=406416, duration.command.search.index=8594, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69500, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12237212, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:21:41.571, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654878000_54454', total_run_time=30.97, event_count=12227285, result_count=15, available_count=0, scan_count=23372565, drop_count=0, exec_time=1654878058, api_et=1654863600.000000000, api_lt=1654878000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863600.000000000, search_lt=1654878000.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23372565, total_slices=1299214, decompressed_slices=406152, duration.command.search.index=9487, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69043, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12227285, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:21:41.307, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654878000_54450', total_run_time=28.21, event_count=0, result_count=0, available_count=0, scan_count=23372569, drop_count=0, exec_time=1654878049, api_et=1654863600.000000000, api_lt=1654878000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863600.000000000, search_lt=1654878000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23372569, total_slices=1298920, decompressed_slices=406151, duration.command.search.index=9235, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68037, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12227285, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:21:11.812, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877940_54426', total_run_time=28.98, event_count=0, result_count=0, available_count=0, scan_count=23345817, drop_count=0, exec_time=1654877990, api_et=1654863540.000000000, api_lt=1654877940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863540.000000000, search_lt=1654877940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=23345817, total_slices=1296840, decompressed_slices=405813, duration.command.search.index=8978, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70901, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12219818, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:21:11.293, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877880_54400', total_run_time=34.32, event_count=0, result_count=0, available_count=0, scan_count=23322353, drop_count=0, exec_time=1654877929, api_et=1654863480.000000000, api_lt=1654877880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863480.000000000, search_lt=1654877880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23322353, total_slices=1320842, decompressed_slices=405539, duration.command.search.index=9471, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73160, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12212843, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:18:39.583, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877820_54380', total_run_time=21.29, event_count=0, result_count=0, available_count=0, scan_count=23302591, drop_count=0, exec_time=1654877869, api_et=1654863420.000000000, api_lt=1654877820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863420.000000000, search_lt=1654877820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3366", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=23302591, total_slices=1344964, decompressed_slices=405244, duration.command.search.index=9346, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62337, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12210335, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:17:39.756, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877760_54356', total_run_time=29.41, event_count=0, result_count=0, available_count=0, scan_count=23285288, drop_count=0, exec_time=1654877809, api_et=1654863360.000000000, api_lt=1654877760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863360.000000000, search_lt=1654877760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=23285288, total_slices=1395299, decompressed_slices=404939, duration.command.search.index=8525, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64997, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12206107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:16:39.669, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877700_54339', total_run_time=22.90, event_count=0, result_count=0, available_count=0, scan_count=23260675, drop_count=0, exec_time=1654877749, api_et=1654863300.000000000, api_lt=1654877700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863300.000000000, search_lt=1654877700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=23260675, total_slices=1393293, decompressed_slices=404564, duration.command.search.index=8667, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66598, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12199227, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:16:39.463, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654877760_54350', total_run_time=16.64, event_count=0, result_count=0, available_count=0, scan_count=16, drop_count=0, exec_time=1654877771, api_et=1654873560.000000000, api_lt=1654877160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654874160.000000000, search_lt=1654877772.997123000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3265", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0657eb9d523b7ece", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1058, eliminated_buckets=373, considered_events=16, total_slices=16822, decompressed_slices=1, duration.command.search.index=911, invocations.command.search.index.bucketcache.hit=1058, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=115, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:15:39.844, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877640_54320', total_run_time=21.03, event_count=0, result_count=0, available_count=0, scan_count=23238397, drop_count=0, exec_time=1654877689, api_et=1654863240.000000000, api_lt=1654877640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863240.000000000, search_lt=1654877640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=23238397, total_slices=1391232, decompressed_slices=404283, duration.command.search.index=8451, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66340, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12193771, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:14:47.892, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877580_54297', total_run_time=24.16, event_count=0, result_count=0, available_count=0, scan_count=23216972, drop_count=0, exec_time=1654877629, api_et=1654863180.000000000, api_lt=1654877580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863180.000000000, search_lt=1654877580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=23216972, total_slices=1389293, decompressed_slices=404024, duration.command.search.index=8490, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65513, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12188319, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:14:47.568, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654877640_54307', total_run_time=7.60, event_count=0, result_count=0, available_count=0, scan_count=12724, drop_count=0, exec_time=1654877663, api_et=1654874040.000000000, api_lt=1654877640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654874040.000000000, search_lt=1654877665.738223000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2960", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=280, considered_events=12743, total_slices=469595, decompressed_slices=4119, duration.command.search.index=1245, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6242, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=99, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=419, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1148, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=274, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=14, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=395, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 16:13:39.578, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877520_54270', total_run_time=27.97, event_count=0, result_count=0, available_count=0, scan_count=23194239, drop_count=0, exec_time=1654877569, api_et=1654863120.000000000, api_lt=1654877520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863120.000000000, search_lt=1654877520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=23194239, total_slices=1413746, decompressed_slices=403782, duration.command.search.index=9776, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76378, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12184376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:12:39.432, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877460_54252', total_run_time=25.97, event_count=0, result_count=0, available_count=0, scan_count=23183468, drop_count=0, exec_time=1654877509, api_et=1654863060.000000000, api_lt=1654877460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863060.000000000, search_lt=1654877460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2557", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=23183468, total_slices=1411504, decompressed_slices=403529, duration.command.search.index=8881, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68267, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12186071, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:11:39.576, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654877460_54234', total_run_time=5.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654877464, api_et=1654873860.000000000, api_lt=1654877460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654873860.000000000, search_lt=1654877466.648083000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3448", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fdeabe827ec90b6c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:11:09.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877400_54227', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=23167294, drop_count=0, exec_time=1654877449, api_et=1654863000.000000000, api_lt=1654877400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863000.000000000, search_lt=1654877400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=0, considered_events=23167294, total_slices=1434504, decompressed_slices=403219, duration.command.search.index=8565, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59820, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12182142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:10:09.778, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877340_54207', total_run_time=14.52, event_count=0, result_count=0, available_count=0, scan_count=23142495, drop_count=0, exec_time=1654877389, api_et=1654862940.000000000, api_lt=1654877340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862940.000000000, search_lt=1654877340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=0, considered_events=23142495, total_slices=1432570, decompressed_slices=402951, duration.command.search.index=8496, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60498, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12176578, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:09:39.776, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654877340_54199', total_run_time=18.92, event_count=0, result_count=0, available_count=0, scan_count=3706638, drop_count=0, exec_time=1654877345, api_et=1654873140.000000000, api_lt=1654876740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654873140.000000000, search_lt=1654876740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3135", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_504ca87eef862474", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=366, considered_events=3706638, total_slices=1046862, decompressed_slices=172330, duration.command.search.index=1641, invocations.command.search.index.bucketcache.hit=792, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28898, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:09:09.527, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877280_54191', total_run_time=14.37, event_count=0, result_count=0, available_count=0, scan_count=23123751, drop_count=0, exec_time=1654877329, api_et=1654862880.000000000, api_lt=1654877280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862880.000000000, search_lt=1654877280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=0, considered_events=23123751, total_slices=1430409, decompressed_slices=402673, duration.command.search.index=8719, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59665, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12174302, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:08:39.462, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654877220_54178', total_run_time=16.74, event_count=1279, result_count=74, available_count=0, scan_count=533614, drop_count=0, exec_time=1654877280, api_et=1654873620.000000000, api_lt=1654877220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654873620.000000000, search_lt=1654877281.981650000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=199, considered_events=538438, total_slices=519501, decompressed_slices=132858, duration.command.search.index=4252, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37845, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=424352, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38660, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 16:08:09.460, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877220_54175', total_run_time=15.68, event_count=0, result_count=0, available_count=0, scan_count=23101380, drop_count=0, exec_time=1654877269, api_et=1654862820.000000000, api_lt=1654877220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862820.000000000, search_lt=1654877220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3094", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=0, considered_events=23101380, total_slices=1428514, decompressed_slices=402308, duration.command.search.index=9271, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61150, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12169565, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:07:39.539, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654877220_54170', total_run_time=6.16, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654877246, api_et=1654873620.000000000, api_lt=1654877220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654873620.000000000, search_lt=1654877248.676445000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f05f689db1dcf844", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=199, considered_events=1, total_slices=10135, decompressed_slices=1, duration.command.search.index=1008, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=153, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 16:07:09.647, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877160_54154', total_run_time=16.34, event_count=0, result_count=0, available_count=0, scan_count=23082139, drop_count=0, exec_time=1654877210, api_et=1654862760.000000000, api_lt=1654877160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862760.000000000, search_lt=1654877160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=0, considered_events=23082139, total_slices=1426458, decompressed_slices=402014, duration.command.search.index=9865, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65683, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12165773, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:06:39.594, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877100_54140', total_run_time=20.41, event_count=0, result_count=0, available_count=0, scan_count=23061164, drop_count=0, exec_time=1654877149, api_et=1654862700.000000000, api_lt=1654877100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862700.000000000, search_lt=1654877100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=23061164, total_slices=1450471, decompressed_slices=401725, duration.command.search.index=9709, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71663, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12161051, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:05:39.589, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654877040_54123', total_run_time=22.66, event_count=0, result_count=0, available_count=0, scan_count=23040362, drop_count=0, exec_time=1654877090, api_et=1654862640.000000000, api_lt=1654877040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862640.000000000, search_lt=1654877040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=23040362, total_slices=1448441, decompressed_slices=401449, duration.command.search.index=9780, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77786, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12156035, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:04:39.755, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654876980_54081', total_run_time=29.46, event_count=0, result_count=0, available_count=0, scan_count=23018552, drop_count=0, exec_time=1654877030, api_et=1654862580.000000000, api_lt=1654876980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862580.000000000, search_lt=1654876980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=23018552, total_slices=1472413, decompressed_slices=401194, duration.command.search.index=14657, invocations.command.search.index.bucketcache.hit=160, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=128139, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12152476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:03:39.713, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654876920_54036', total_run_time=39.16, event_count=0, result_count=0, available_count=0, scan_count=23001264, drop_count=0, exec_time=1654876970, api_et=1654862520.000000000, api_lt=1654876920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862520.000000000, search_lt=1654876920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2812", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=23001264, total_slices=1470459, decompressed_slices=400905, duration.command.search.index=13559, invocations.command.search.index.bucketcache.hit=160, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126794, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12150638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:02:39.656, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654876860_54005', total_run_time=38.73, event_count=0, result_count=0, available_count=0, scan_count=22982871, drop_count=0, exec_time=1654876909, api_et=1654862460.000000000, api_lt=1654876860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862460.000000000, search_lt=1654876860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=22982871, total_slices=1468374, decompressed_slices=400579, duration.command.search.index=14069, invocations.command.search.index.bucketcache.hit=160, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126328, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12149394, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 16:01:39.933, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654876800_53975', total_run_time=23.86, event_count=0, result_count=0, available_count=0, scan_count=22960904, drop_count=0, exec_time=1654876849, api_et=1654862400.000000000, api_lt=1654876800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862400.000000000, search_lt=1654876800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=160, eliminated_buckets=0, considered_events=22960904, total_slices=1466393, decompressed_slices=400327, duration.command.search.index=11605, invocations.command.search.index.bucketcache.hit=160, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93243, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12146313, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 15:44:46.895, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654875780_53678', total_run_time=21.41, event_count=0, result_count=0, available_count=0, scan_count=3199, drop_count=0, exec_time=1654875818, api_et=1654872180.000000000, api_lt=1654875780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654872180.000000000, search_lt=1654875820.655268000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3019", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9cd93c74f737fe45", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=3199, total_slices=750117, decompressed_slices=1188, duration.command.search.index=1052, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4921, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 15:37:14.687, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654875180_53472', total_run_time=37.60, event_count=0, result_count=0, available_count=0, scan_count=42158819, drop_count=0, exec_time=1654875205, api_et=1654871580.000000000, api_lt=1654875180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654871580.000000000, search_lt=1654875207.380484000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4044", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1615658227792f7f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1849, eliminated_buckets=134, considered_events=42158819, total_slices=14377199, decompressed_slices=4362090, duration.command.search.index=15111, invocations.command.search.index.bucketcache.hit=1848, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238425, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 15:16:46.888, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654874160_53132', total_run_time=7.39, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654874170, api_et=1654869960.000000000, api_lt=1654873560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654870560.000000000, search_lt=1654874171.842724000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ab057e1516c7988d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=371, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=829, invocations.command.search.index.bucketcache.hit=1061, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 15:15:35.323, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654874040_53092', total_run_time=4.03, event_count=0, result_count=0, available_count=0, scan_count=10513, drop_count=0, exec_time=1654874063, api_et=1654870440.000000000, api_lt=1654874040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654870440.000000000, search_lt=1654874065.190071000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2762", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=286, considered_events=10513, total_slices=423679, decompressed_slices=3124, duration.command.search.index=1041, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5469, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=66, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=343, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=913, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=215, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=243, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 15:11:35.838, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654873860_53025', total_run_time=5.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654873865, api_et=1654870260.000000000, api_lt=1654873860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654870260.000000000, search_lt=1654873867.257697000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c31bfc1c04e2d131", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=58, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 15:10:03.340, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654873740_52992', total_run_time=18.71, event_count=0, result_count=0, available_count=0, scan_count=3395613, drop_count=0, exec_time=1654873745, api_et=1654869540.000000000, api_lt=1654873140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654869540.000000000, search_lt=1654873140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3107", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b5a1208583aed851", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=808, eliminated_buckets=378, considered_events=3395613, total_slices=1111470, decompressed_slices=170587, duration.command.search.index=1558, invocations.command.search.index.bucketcache.hit=804, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28514, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 15:08:35.869, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654873620_52973', total_run_time=16.36, event_count=1234, result_count=60, available_count=0, scan_count=495167, drop_count=0, exec_time=1654873680, api_et=1654870020.000000000, api_lt=1654873620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654870020.000000000, search_lt=1654873681.817099000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=204, considered_events=500341, total_slices=598460, decompressed_slices=129502, duration.command.search.index=3994, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36642, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=390161, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=37036, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 15:07:35.712, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654873620_52968', total_run_time=4.69, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654873646, api_et=1654870020.000000000, api_lt=1654873620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654870020.000000000, search_lt=1654873648.317368000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5e04ba3c3ceae928", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=204, considered_events=1, total_slices=1252, decompressed_slices=0, duration.command.search.index=786, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=125, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:44:32.192, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654872180_52492', total_run_time=21.44, event_count=0, result_count=0, available_count=0, scan_count=3817, drop_count=0, exec_time=1654872218, api_et=1654868580.000000000, api_lt=1654872180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654868580.000000000, search_lt=1654872220.423884000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2972", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d49b9ab5fa8f1f87", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=3817, total_slices=787810, decompressed_slices=1441, duration.command.search.index=1021, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4677, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:37:08.968, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654871580_52282', total_run_time=41.71, event_count=0, result_count=0, available_count=0, scan_count=42498900, drop_count=0, exec_time=1654871605, api_et=1654867980.000000000, api_lt=1654871580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654867980.000000000, search_lt=1654871607.388943000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3899", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8086134476d4ead3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1892, eliminated_buckets=134, considered_events=42498900, total_slices=14747527, decompressed_slices=4439028, duration.command.search.index=17333, invocations.command.search.index.bucketcache.hit=1892, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=239400, invocations.command.search.rawdata.bucketcache.hit=343, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:16:21.905, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654870560_51836', total_run_time=8.16, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654870571, api_et=1654866360.000000000, api_lt=1654869960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654866960.000000000, search_lt=1654870573.139322000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3277", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ed979cd71dc9984e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=373, considered_events=1, total_slices=3093, decompressed_slices=1, duration.command.search.index=732, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:14:38.557, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654870440_51796', total_run_time=4.24, event_count=0, result_count=0, available_count=0, scan_count=10955, drop_count=0, exec_time=1654870463, api_et=1654866840.000000000, api_lt=1654870440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654866840.000000000, search_lt=1654870465.443953000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2908", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=287, considered_events=10977, total_slices=443290, decompressed_slices=3041, duration.command.search.index=1167, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5579, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=271, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=847, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=162, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=243, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=12, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 14:11:22.183, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654870260_51730', total_run_time=4.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654870264, api_et=1654866660.000000000, api_lt=1654870260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654866660.000000000, search_lt=1654870266.586646000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c45a8003ba71979e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=47, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:09:42.108, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654870140_51699', total_run_time=17.19, event_count=1, result_count=1, available_count=0, scan_count=3711465, drop_count=0, exec_time=1654870145, api_et=1654865940.000000000, api_lt=1654869540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654865940.000000000, search_lt=1654869540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3030", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cff702b6a86e02c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=798, eliminated_buckets=367, considered_events=3711465, total_slices=1088742, decompressed_slices=184875, duration.command.search.index=1641, invocations.command.search.index.bucketcache.hit=796, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30463, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=235, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 14:08:21.860, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654870020_51679', total_run_time=18.67, event_count=2197, result_count=112, available_count=0, scan_count=528384, drop_count=0, exec_time=1654870080, api_et=1654866420.000000000, api_lt=1654870020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654866420.000000000, search_lt=1654870082.570224000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=203, considered_events=536339, total_slices=720610, decompressed_slices=130110, duration.command.search.index=4209, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36648, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=419235, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=44526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 14:07:51.846, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654870020_51674', total_run_time=6.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654870046, api_et=1654866420.000000000, api_lt=1654870020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654866420.000000000, search_lt=1654870048.790612000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2891", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dd0308c0dfcf48d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1008, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:45:43.012, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654868580_51212', total_run_time=22.44, event_count=0, result_count=0, available_count=0, scan_count=3637, drop_count=0, exec_time=1654868618, api_et=1654864980.000000000, api_lt=1654868580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864980.000000000, search_lt=1654868620.031169000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a37b7418f9ade75b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=3637, total_slices=880625, decompressed_slices=1331, duration.command.search.index=1067, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4915, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:38:42.126, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654867980_51007', total_run_time=74.53, event_count=0, result_count=0, available_count=0, scan_count=42595296, drop_count=0, exec_time=1654868005, api_et=1654864380.000000000, api_lt=1654867980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654864380.000000000, search_lt=1654868007.614361000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3990", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb2b2e3e0e83eb6b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1890, eliminated_buckets=134, considered_events=42595296, total_slices=14932926, decompressed_slices=4438340, duration.command.search.index=16461, invocations.command.search.index.bucketcache.hit=1890, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=309617, invocations.command.search.rawdata.bucketcache.hit=340, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:16:46.513, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654866960_50670', total_run_time=8.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654866970, api_et=1654862760.000000000, api_lt=1654866360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863360.000000000, search_lt=1654866972.880117000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3276", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_46d806074c94ece7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=375, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=692, invocations.command.search.index.bucketcache.hit=1061, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:15:05.673, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654866840_50630', total_run_time=4.12, event_count=0, result_count=0, available_count=0, scan_count=14401, drop_count=0, exec_time=1654866863, api_et=1654863240.000000000, api_lt=1654866840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863240.000000000, search_lt=1654866865.053843000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2794", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=284, considered_events=14405, total_slices=550261, decompressed_slices=3173, duration.command.search.index=1196, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5548, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=134, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=659, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=350, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 13:11:16.339, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654866660_50564', total_run_time=4.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654866664, api_et=1654863060.000000000, api_lt=1654866660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654863060.000000000, search_lt=1654866665.987040000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_24d615536a7a19d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=75, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:09:35.784, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654866540_50532', total_run_time=18.94, event_count=0, result_count=0, available_count=0, scan_count=4145123, drop_count=0, exec_time=1654866545, api_et=1654862340.000000000, api_lt=1654865940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862340.000000000, search_lt=1654865940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3263", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9987189f77957b04", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=367, considered_events=4145123, total_slices=1171670, decompressed_slices=195189, duration.command.search.index=1704, invocations.command.search.index.bucketcache.hit=793, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31099, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:08:46.230, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654866420_50514', total_run_time=17.05, event_count=1979, result_count=115, available_count=0, scan_count=467571, drop_count=0, exec_time=1654866480, api_et=1654862820.000000000, api_lt=1654866420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862820.000000000, search_lt=1654866482.437326000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=206, considered_events=473450, total_slices=663586, decompressed_slices=113526, duration.command.search.index=3781, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32037, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=370800, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41399, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 13:07:46.315, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654866420_50509', total_run_time=4.94, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654866446, api_et=1654862820.000000000, api_lt=1654866420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654862820.000000000, search_lt=1654866449.113541000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3071", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f8b46b676e55bdc4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=716, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 13:00:05.737, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865940_50320', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=21740870, drop_count=0, exec_time=1654865990, api_et=1654851540.000000000, api_lt=1654865940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851540.000000000, search_lt=1654865940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2647", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21740870, total_slices=1495882, decompressed_slices=381909, duration.command.search.index=7505, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57990, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11906172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:59:05.518, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865880_50307', total_run_time=13.20, event_count=0, result_count=0, available_count=0, scan_count=21742340, drop_count=0, exec_time=1654865929, api_et=1654851480.000000000, api_lt=1654865880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851480.000000000, search_lt=1654865880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21742340, total_slices=1494056, decompressed_slices=381903, duration.command.search.index=7551, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56264, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:58:05.859, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865820_50292', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=21746090, drop_count=0, exec_time=1654865869, api_et=1654851420.000000000, api_lt=1654865820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851420.000000000, search_lt=1654865820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21746090, total_slices=1492317, decompressed_slices=381849, duration.command.search.index=7680, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57578, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11906332, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:57:05.803, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865760_50274', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=21746297, drop_count=0, exec_time=1654865809, api_et=1654851360.000000000, api_lt=1654865760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851360.000000000, search_lt=1654865760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21746297, total_slices=1490556, decompressed_slices=381909, duration.command.search.index=7708, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55272, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:56:05.850, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865700_50263', total_run_time=13.64, event_count=0, result_count=0, available_count=0, scan_count=21747896, drop_count=0, exec_time=1654865750, api_et=1654851300.000000000, api_lt=1654865700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851300.000000000, search_lt=1654865700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21747896, total_slices=1488815, decompressed_slices=381839, duration.command.search.index=7852, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57044, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905037, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:55:05.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865640_50246', total_run_time=13.36, event_count=0, result_count=0, available_count=0, scan_count=21752870, drop_count=0, exec_time=1654865689, api_et=1654851240.000000000, api_lt=1654865640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851240.000000000, search_lt=1654865640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21752870, total_slices=1487092, decompressed_slices=381862, duration.command.search.index=8271, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54750, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11904722, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:54:34.065, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865580_50229', total_run_time=13.25, event_count=0, result_count=0, available_count=0, scan_count=21751809, drop_count=0, exec_time=1654865629, api_et=1654851180.000000000, api_lt=1654865580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851180.000000000, search_lt=1654865580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3135", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21751809, total_slices=1485162, decompressed_slices=381919, duration.command.search.index=8088, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54026, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11902594, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:53:05.877, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865520_50205', total_run_time=15.03, event_count=0, result_count=0, available_count=0, scan_count=21752108, drop_count=0, exec_time=1654865569, api_et=1654851120.000000000, api_lt=1654865520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851120.000000000, search_lt=1654865520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21752108, total_slices=1483478, decompressed_slices=381912, duration.command.search.index=8406, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58311, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11902825, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:52:35.539, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865460_50188', total_run_time=15.83, event_count=0, result_count=0, available_count=0, scan_count=21754456, drop_count=0, exec_time=1654865509, api_et=1654851060.000000000, api_lt=1654865460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851060.000000000, search_lt=1654865460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2622", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21754456, total_slices=1481761, decompressed_slices=381909, duration.command.search.index=8097, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58497, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:51:20.860, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865400_50164', total_run_time=14.72, event_count=0, result_count=0, available_count=0, scan_count=21757246, drop_count=0, exec_time=1654865449, api_et=1654851000.000000000, api_lt=1654865400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851000.000000000, search_lt=1654865400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2571", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21757246, total_slices=1480080, decompressed_slices=381879, duration.command.search.index=8178, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58411, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903077, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:50:51.878, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865340_50141', total_run_time=13.73, event_count=0, result_count=0, available_count=0, scan_count=21763283, drop_count=0, exec_time=1654865389, api_et=1654850940.000000000, api_lt=1654865340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850940.000000000, search_lt=1654865340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21763283, total_slices=1478334, decompressed_slices=381991, duration.command.search.index=7709, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56705, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11904735, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:50:51.574, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865280_50119', total_run_time=14.82, event_count=0, result_count=0, available_count=0, scan_count=21763549, drop_count=0, exec_time=1654865329, api_et=1654850880.000000000, api_lt=1654865280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850880.000000000, search_lt=1654865280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21763549, total_slices=1476606, decompressed_slices=381952, duration.command.search.index=8051, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56702, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903772, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:48:14.312, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865220_50103', total_run_time=12.90, event_count=0, result_count=0, available_count=0, scan_count=21764453, drop_count=0, exec_time=1654865269, api_et=1654850820.000000000, api_lt=1654865220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850820.000000000, search_lt=1654865220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2575", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21764453, total_slices=1474853, decompressed_slices=381902, duration.command.search.index=8091, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56340, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903449, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:47:14.547, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865160_50082', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=21767596, drop_count=0, exec_time=1654865210, api_et=1654850760.000000000, api_lt=1654865160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850760.000000000, search_lt=1654865160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21767596, total_slices=1473153, decompressed_slices=381945, duration.command.search.index=7303, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54931, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903643, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:46:14.496, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865100_50064', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=21771027, drop_count=0, exec_time=1654865150, api_et=1654850700.000000000, api_lt=1654865100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850700.000000000, search_lt=1654865100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21771027, total_slices=1471464, decompressed_slices=381940, duration.command.search.index=7502, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56122, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11904866, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:45:14.336, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654865040_50040', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=21769920, drop_count=0, exec_time=1654865089, api_et=1654850640.000000000, api_lt=1654865040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850640.000000000, search_lt=1654865040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21769920, total_slices=1469685, decompressed_slices=381964, duration.command.search.index=7671, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54730, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:44:14.571, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654864980_50017', total_run_time=21.04, event_count=0, result_count=0, available_count=0, scan_count=3981, drop_count=0, exec_time=1654865018, api_et=1654861380.000000000, api_lt=1654864980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654861380.000000000, search_lt=1654865020.590191000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8539508084d5db40", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=3981, total_slices=900642, decompressed_slices=1437, duration.command.search.index=1047, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4888, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:44:14.552, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864980_50020', total_run_time=13.76, event_count=0, result_count=0, available_count=0, scan_count=21770199, drop_count=0, exec_time=1654865029, api_et=1654850580.000000000, api_lt=1654864980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850580.000000000, search_lt=1654864980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3253", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21770199, total_slices=1467974, decompressed_slices=382036, duration.command.search.index=7683, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57583, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11904521, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:43:14.259, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864920_49992', total_run_time=12.73, event_count=0, result_count=0, available_count=0, scan_count=21770705, drop_count=0, exec_time=1654864969, api_et=1654850520.000000000, api_lt=1654864920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850520.000000000, search_lt=1654864920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2958", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21770705, total_slices=1492133, decompressed_slices=382013, duration.command.search.index=7821, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56530, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11905867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:42:14.414, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864860_49969', total_run_time=13.10, event_count=0, result_count=0, available_count=0, scan_count=21774940, drop_count=0, exec_time=1654864909, api_et=1654850460.000000000, api_lt=1654864860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850460.000000000, search_lt=1654864860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2879", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21774940, total_slices=1490399, decompressed_slices=382077, duration.command.search.index=7813, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55992, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11907536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:41:14.518, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864800_49944', total_run_time=13.41, event_count=0, result_count=0, available_count=0, scan_count=21775498, drop_count=0, exec_time=1654864849, api_et=1654850400.000000000, api_lt=1654864800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850400.000000000, search_lt=1654864800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3002", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21775498, total_slices=1488667, decompressed_slices=382025, duration.command.search.index=7789, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58125, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11908727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:40:14.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864740_49922', total_run_time=13.27, event_count=0, result_count=0, available_count=0, scan_count=21781931, drop_count=0, exec_time=1654864790, api_et=1654850340.000000000, api_lt=1654864740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850340.000000000, search_lt=1654864740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=21781931, total_slices=1486957, decompressed_slices=382049, duration.command.search.index=7610, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56929, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11910875, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:39:14.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864680_49906', total_run_time=12.33, event_count=0, result_count=0, available_count=0, scan_count=21782544, drop_count=0, exec_time=1654864729, api_et=1654850280.000000000, api_lt=1654864680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850280.000000000, search_lt=1654864680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21782544, total_slices=1511052, decompressed_slices=382052, duration.command.search.index=7798, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55221, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11909957, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:38:44.036, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654864380_49795', total_run_time=40.49, event_count=0, result_count=0, available_count=0, scan_count=42791953, drop_count=0, exec_time=1654864405, api_et=1654860780.000000000, api_lt=1654864380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654860780.000000000, search_lt=1654864407.838412000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3891", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_63f76491267c04a8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1871, eliminated_buckets=134, considered_events=42791953, total_slices=14767107, decompressed_slices=4428379, duration.command.search.index=15159, invocations.command.search.index.bucketcache.hit=1870, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236938, invocations.command.search.rawdata.bucketcache.hit=320, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:38:43.843, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864380_49809', total_run_time=15.20, event_count=0, result_count=0, available_count=0, scan_count=21806136, drop_count=0, exec_time=1654864429, api_et=1654849980.000000000, api_lt=1654864380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849980.000000000, search_lt=1654864380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21806136, total_slices=1502472, decompressed_slices=382161, duration.command.search.index=9034, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64276, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11921238, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:38:43.652, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864500_49866', total_run_time=13.89, event_count=0, result_count=0, available_count=0, scan_count=21794631, drop_count=0, exec_time=1654864550, api_et=1654850100.000000000, api_lt=1654864500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850100.000000000, search_lt=1654864500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21794631, total_slices=1505883, decompressed_slices=382081, duration.command.search.index=7662, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56714, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11916233, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:38:42.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864620_49891', total_run_time=12.64, event_count=0, result_count=0, available_count=0, scan_count=21786288, drop_count=0, exec_time=1654864670, api_et=1654850220.000000000, api_lt=1654864620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850220.000000000, search_lt=1654864620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=21786288, total_slices=1509126, decompressed_slices=382049, duration.command.search.index=7942, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54168, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11910353, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:38:42.233, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864440_49844', total_run_time=13.71, event_count=0, result_count=0, available_count=0, scan_count=21803580, drop_count=0, exec_time=1654864489, api_et=1654850040.000000000, api_lt=1654864440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850040.000000000, search_lt=1654864440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21803580, total_slices=1504164, decompressed_slices=382091, duration.command.search.index=7934, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56675, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11919358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:38:41.768, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864560_49876', total_run_time=12.48, event_count=0, result_count=0, available_count=0, scan_count=21789303, drop_count=0, exec_time=1654864609, api_et=1654850160.000000000, api_lt=1654864560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850160.000000000, search_lt=1654864560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2537", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21789303, total_slices=1507597, decompressed_slices=382068, duration.command.search.index=7854, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53237, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11913058, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:33:24.716, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864320_49772', total_run_time=17.12, event_count=0, result_count=0, available_count=0, scan_count=21812174, drop_count=0, exec_time=1654864369, api_et=1654849920.000000000, api_lt=1654864320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849920.000000000, search_lt=1654864320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2822", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21812174, total_slices=1500713, decompressed_slices=382229, duration.command.search.index=8225, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66254, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11924598, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:32:24.594, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864260_49742', total_run_time=16.05, event_count=0, result_count=0, available_count=0, scan_count=21815709, drop_count=0, exec_time=1654864309, api_et=1654849860.000000000, api_lt=1654864260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849860.000000000, search_lt=1654864260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3051", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=21815709, total_slices=1499044, decompressed_slices=382265, duration.command.search.index=8571, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62322, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11927164, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:31:24.802, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864200_49714', total_run_time=16.15, event_count=0, result_count=0, available_count=0, scan_count=21822109, drop_count=0, exec_time=1654864249, api_et=1654849800.000000000, api_lt=1654864200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849800.000000000, search_lt=1654864200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=1, considered_events=21822109, total_slices=1496972, decompressed_slices=382269, duration.command.search.index=8188, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60894, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11930971, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:30:24.622, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864140_49685', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=21829957, drop_count=0, exec_time=1654864190, api_et=1654849740.000000000, api_lt=1654864140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849740.000000000, search_lt=1654864140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=2, considered_events=21829957, total_slices=1495549, decompressed_slices=382323, duration.command.search.index=7339, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56467, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11933738, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:29:24.603, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864080_49672', total_run_time=13.21, event_count=0, result_count=0, available_count=0, scan_count=21831814, drop_count=0, exec_time=1654864129, api_et=1654849680.000000000, api_lt=1654864080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849680.000000000, search_lt=1654864080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2565", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=3, considered_events=21831814, total_slices=1519349, decompressed_slices=382235, duration.command.search.index=7579, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56240, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11934172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:28:24.720, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654864020_49658', total_run_time=13.13, event_count=0, result_count=0, available_count=0, scan_count=21839617, drop_count=0, exec_time=1654864069, api_et=1654849620.000000000, api_lt=1654864020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849620.000000000, search_lt=1654864020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2916", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=3, considered_events=21839617, total_slices=1517565, decompressed_slices=382299, duration.command.search.index=7565, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55699, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11937308, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:27:24.769, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863960_49639', total_run_time=12.73, event_count=0, result_count=0, available_count=0, scan_count=21843861, drop_count=0, exec_time=1654864010, api_et=1654849560.000000000, api_lt=1654863960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849560.000000000, search_lt=1654863960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=21843861, total_slices=1515837, decompressed_slices=382205, duration.command.search.index=7410, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57268, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11939727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:26:24.689, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863900_49623', total_run_time=14.28, event_count=0, result_count=0, available_count=0, scan_count=21847182, drop_count=0, exec_time=1654863950, api_et=1654849500.000000000, api_lt=1654863900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849500.000000000, search_lt=1654863900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3416", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=21847182, total_slices=1514078, decompressed_slices=382257, duration.command.search.index=7487, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57452, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11939986, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:25:24.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863840_49609', total_run_time=13.54, event_count=0, result_count=0, available_count=0, scan_count=21851425, drop_count=0, exec_time=1654863890, api_et=1654849440.000000000, api_lt=1654863840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849440.000000000, search_lt=1654863840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=21851425, total_slices=1512416, decompressed_slices=382100, duration.command.search.index=7710, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55765, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11941100, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:24:24.617, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863780_49590', total_run_time=12.45, event_count=0, result_count=0, available_count=0, scan_count=21853295, drop_count=0, exec_time=1654863829, api_et=1654849380.000000000, api_lt=1654863780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849380.000000000, search_lt=1654863780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=21853295, total_slices=1510509, decompressed_slices=382021, duration.command.search.index=7623, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54050, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11941181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:23:24.844, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863720_49558', total_run_time=13.88, event_count=0, result_count=0, available_count=0, scan_count=21855665, drop_count=0, exec_time=1654863769, api_et=1654849320.000000000, api_lt=1654863720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849320.000000000, search_lt=1654863720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=21855665, total_slices=1508696, decompressed_slices=381991, duration.command.search.index=7846, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58094, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11940855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:22:24.571, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863660_49541', total_run_time=14.60, event_count=0, result_count=0, available_count=0, scan_count=21857581, drop_count=0, exec_time=1654863709, api_et=1654849260.000000000, api_lt=1654863660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849260.000000000, search_lt=1654863660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2574", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=21857581, total_slices=1506958, decompressed_slices=382060, duration.command.search.index=8559, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62101, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11942346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:21:24.918, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863600_49514', total_run_time=15.12, event_count=0, result_count=0, available_count=0, scan_count=21863255, drop_count=0, exec_time=1654863649, api_et=1654849200.000000000, api_lt=1654863600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849200.000000000, search_lt=1654863600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2670", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=2, considered_events=21863255, total_slices=1505380, decompressed_slices=382066, duration.command.search.index=7865, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59444, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11946101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:20:21.564, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863540_49491', total_run_time=25.42, event_count=0, result_count=0, available_count=0, scan_count=21869343, drop_count=0, exec_time=1654863590, api_et=1654849140.000000000, api_lt=1654863540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849140.000000000, search_lt=1654863540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=2, considered_events=21869343, total_slices=1503684, decompressed_slices=382117, duration.command.search.index=9138, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73597, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11948347, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:20:06.221, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863480_49465', total_run_time=19.25, event_count=0, result_count=0, available_count=0, scan_count=21872719, drop_count=0, exec_time=1654863529, api_et=1654849080.000000000, api_lt=1654863480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849080.000000000, search_lt=1654863480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2797", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=21872719, total_slices=1501930, decompressed_slices=382196, duration.command.search.index=8183, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58425, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11949644, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:18:25.110, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863420_49444', total_run_time=20.02, event_count=0, result_count=0, available_count=0, scan_count=21877531, drop_count=0, exec_time=1654863470, api_et=1654849020.000000000, api_lt=1654863420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849020.000000000, search_lt=1654863420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21877531, total_slices=1500166, decompressed_slices=382301, duration.command.search.index=8049, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63674, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11950767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:17:24.543, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863360_49421', total_run_time=20.54, event_count=0, result_count=0, available_count=0, scan_count=21878241, drop_count=0, exec_time=1654863409, api_et=1654848960.000000000, api_lt=1654863360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848960.000000000, search_lt=1654863360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21878241, total_slices=1498517, decompressed_slices=382300, duration.command.search.index=8124, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63411, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11952790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:16:24.721, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863300_49404', total_run_time=22.15, event_count=0, result_count=0, available_count=0, scan_count=21881184, drop_count=0, exec_time=1654863349, api_et=1654848900.000000000, api_lt=1654863300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848900.000000000, search_lt=1654863300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21881184, total_slices=1496813, decompressed_slices=382451, duration.command.search.index=8788, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67655, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11956000, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:16:24.577, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654863360_49415', total_run_time=8.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654863371, api_et=1654859160.000000000, api_lt=1654862760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654859760.000000000, search_lt=1654863373.125169000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3417", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4278a376eb5a1010", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=372, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=682, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:15:11.457, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863240_49385', total_run_time=19.31, event_count=0, result_count=0, available_count=0, scan_count=21885860, drop_count=0, exec_time=1654863290, api_et=1654848840.000000000, api_lt=1654863240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848840.000000000, search_lt=1654863240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21885860, total_slices=1495028, decompressed_slices=382464, duration.command.search.index=8778, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69802, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11958185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:15:11.175, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863180_49362', total_run_time=17.34, event_count=0, result_count=0, available_count=0, scan_count=21889111, drop_count=0, exec_time=1654863229, api_et=1654848780.000000000, api_lt=1654863180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848780.000000000, search_lt=1654863180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21889111, total_slices=1493346, decompressed_slices=382513, duration.command.search.index=8187, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72078, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11961480, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:15:11.082, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654863240_49372', total_run_time=8.39, event_count=0, result_count=0, available_count=0, scan_count=15532, drop_count=0, exec_time=1654863263, api_et=1654859640.000000000, api_lt=1654863240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654859640.000000000, search_lt=1654863264.960933000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2871", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=284, considered_events=15688, total_slices=713596, decompressed_slices=3217, duration.command.search.index=1751, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6525, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=50, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=151, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=325, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=71, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=279, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 12:13:09.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863120_49334', total_run_time=13.76, event_count=0, result_count=0, available_count=0, scan_count=21895702, drop_count=0, exec_time=1654863169, api_et=1654848720.000000000, api_lt=1654863120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848720.000000000, search_lt=1654863120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=21895702, total_slices=1491495, decompressed_slices=382554, duration.command.search.index=7430, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59952, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11963954, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:12:09.335, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863060_49316', total_run_time=12.86, event_count=0, result_count=0, available_count=0, scan_count=21897618, drop_count=0, exec_time=1654863109, api_et=1654848660.000000000, api_lt=1654863060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848660.000000000, search_lt=1654863060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2973", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=21897618, total_slices=1489988, decompressed_slices=382563, duration.command.search.index=7735, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56610, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11966193, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:11:09.570, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654863000_49291', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=21899814, drop_count=0, exec_time=1654863050, api_et=1654848600.000000000, api_lt=1654863000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848600.000000000, search_lt=1654863000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=21899814, total_slices=1488101, decompressed_slices=382629, duration.command.search.index=7790, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55828, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11967916, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:11:09.476, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654863060_49298', total_run_time=4.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654863064, api_et=1654859460.000000000, api_lt=1654863060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654859460.000000000, search_lt=1654863065.922146000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2203", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_588bd8e51a80768d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=54, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=80, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:10:09.413, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862940_49270', total_run_time=14.05, event_count=0, result_count=0, available_count=0, scan_count=21902281, drop_count=0, exec_time=1654862990, api_et=1654848540.000000000, api_lt=1654862940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848540.000000000, search_lt=1654862940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21902281, total_slices=1486565, decompressed_slices=382747, duration.command.search.index=7764, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57446, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11968519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:09:39.484, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654862940_49262', total_run_time=20.65, event_count=0, result_count=0, available_count=0, scan_count=4221271, drop_count=0, exec_time=1654862945, api_et=1654858740.000000000, api_lt=1654862340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654858740.000000000, search_lt=1654862340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2964", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_45218e16089a63ef", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=787, eliminated_buckets=361, considered_events=4221271, total_slices=1165440, decompressed_slices=195999, duration.command.search.index=1780, invocations.command.search.index.bucketcache.hit=786, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32320, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:09:20.774, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862880_49254', total_run_time=12.92, event_count=0, result_count=0, available_count=0, scan_count=21903098, drop_count=0, exec_time=1654862929, api_et=1654848480.000000000, api_lt=1654862880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848480.000000000, search_lt=1654862880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2973", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21903098, total_slices=1484897, decompressed_slices=382750, duration.command.search.index=7643, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56527, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11968727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:08:39.456, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654862820_49245', total_run_time=25.88, event_count=1206, result_count=59, available_count=0, scan_count=347933, drop_count=0, exec_time=1654862884, api_et=1654859220.000000000, api_lt=1654862820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654859220.000000000, search_lt=1654862886.047486000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2812", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=206, considered_events=353806, total_slices=608553, decompressed_slices=102402, duration.command.search.index=3223, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26965, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=277582, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33272, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 12:08:09.573, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862820_49237', total_run_time=13.65, event_count=0, result_count=0, available_count=0, scan_count=21903810, drop_count=0, exec_time=1654862869, api_et=1654848420.000000000, api_lt=1654862820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848420.000000000, search_lt=1654862820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21903810, total_slices=1482594, decompressed_slices=382810, duration.command.search.index=7935, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56676, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11968277, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:07:39.329, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654862400_49186', total_run_time=162.53, event_count=2696, result_count=2695, available_count=0, scan_count=1756773, drop_count=0, exec_time=1654862690, api_et=1654776000.000000000, api_lt=1654862400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654862400.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64429", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_69582c85f4bf69b9", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4771, considered_events=1756773, total_slices=14090982, decompressed_slices=1089738, duration.command.search.index=1066354, invocations.command.search.index.bucketcache.hit=26596, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3849, duration.command.search.index.bucketcache.miss=526861, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222012, invocations.command.search.rawdata.bucketcache.hit=18867, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1632, duration.command.search.rawdata.bucketcache.miss=341877, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-10-2022 12:07:39.243, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654862820_49232', total_run_time=6.04, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654862846, api_et=1654859220.000000000, api_lt=1654862820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654859220.000000000, search_lt=1654862848.665832000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2914", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8a51bf08bf9f1579", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=206, considered_events=2, total_slices=20402, decompressed_slices=2, duration.command.search.index=730, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=289, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 12:07:09.404, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862760_49217', total_run_time=14.17, event_count=0, result_count=0, available_count=0, scan_count=21903824, drop_count=0, exec_time=1654862811, api_et=1654848360.000000000, api_lt=1654862760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848360.000000000, search_lt=1654862760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3387", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21903824, total_slices=1481431, decompressed_slices=382821, duration.command.search.index=8155, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58939, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11968792, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:06:09.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862700_49203', total_run_time=14.65, event_count=0, result_count=0, available_count=0, scan_count=21906975, drop_count=0, exec_time=1654862750, api_et=1654848300.000000000, api_lt=1654862700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848300.000000000, search_lt=1654862700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3030", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21906975, total_slices=1479704, decompressed_slices=382804, duration.command.search.index=8366, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61193, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11969183, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:05:10.006, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862640_49185', total_run_time=16.42, event_count=0, result_count=0, available_count=0, scan_count=21911792, drop_count=0, exec_time=1654862690, api_et=1654848240.000000000, api_lt=1654862640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848240.000000000, search_lt=1654862640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21911792, total_slices=1478011, decompressed_slices=382795, duration.command.search.index=8909, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63609, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11971962, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:04:54.925, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862580_49142', total_run_time=16.66, event_count=0, result_count=0, available_count=0, scan_count=21914177, drop_count=0, exec_time=1654862629, api_et=1654848180.000000000, api_lt=1654862580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848180.000000000, search_lt=1654862580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21914177, total_slices=1476267, decompressed_slices=382835, duration.command.search.index=10158, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77029, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11972956, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:03:11.170, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862520_49096', total_run_time=17.99, event_count=0, result_count=0, available_count=0, scan_count=21917904, drop_count=0, exec_time=1654862569, api_et=1654848120.000000000, api_lt=1654862520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848120.000000000, search_lt=1654862520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21917904, total_slices=1474636, decompressed_slices=382913, duration.command.search.index=9426, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71481, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11974240, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:02:09.409, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862460_49065', total_run_time=16.92, event_count=0, result_count=0, available_count=0, scan_count=21923171, drop_count=0, exec_time=1654862509, api_et=1654848060.000000000, api_lt=1654862460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848060.000000000, search_lt=1654862460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2566", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21923171, total_slices=1472851, decompressed_slices=382994, duration.command.search.index=10150, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74780, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11975646, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:01:39.631, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654862400_49033', total_run_time=18.82, event_count=0, result_count=0, available_count=0, scan_count=21930025, drop_count=0, exec_time=1654862449, api_et=1654848000.000000000, api_lt=1654862400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848000.000000000, search_lt=1654862400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2539", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=21930025, total_slices=1471092, decompressed_slices=383039, duration.command.search.index=10085, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71952, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11976835, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 12:01:39.558, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654862400_49029', total_run_time=63.11, event_count=0, result_count=101, available_count=0, scan_count=0, drop_count=0, exec_time=1654862432, api_et=1654860600.000000000, api_lt=1654862400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654860600.000000000, search_lt=1654862400.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63827", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-10-2022 11:45:13.286, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654861380_48743', total_run_time=22.09, event_count=0, result_count=0, available_count=0, scan_count=3773, drop_count=0, exec_time=1654861418, api_et=1654857780.000000000, api_lt=1654861380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654857780.000000000, search_lt=1654861420.716829000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_06e5333c21d381c8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3773, total_slices=1072596, decompressed_slices=1317, duration.command.search.index=1070, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5063, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 11:37:57.698, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654860780_48536', total_run_time=35.99, event_count=0, result_count=0, available_count=0, scan_count=42519562, drop_count=0, exec_time=1654860805, api_et=1654857180.000000000, api_lt=1654860780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654857180.000000000, search_lt=1654860807.172761000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3956", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9820a9049e9303bc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1877, eliminated_buckets=133, considered_events=42519562, total_slices=14761037, decompressed_slices=4410079, duration.command.search.index=15835, invocations.command.search.index.bucketcache.hit=1877, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=233195, invocations.command.search.rawdata.bucketcache.hit=331, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 11:16:44.220, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654859760_48196', total_run_time=6.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654859770, api_et=1654855560.000000000, api_lt=1654859160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654856160.000000000, search_lt=1654859772.099309000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3154", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_be4d4b04df6ccd07", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1057, eliminated_buckets=370, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=675, invocations.command.search.index.bucketcache.hit=1056, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 11:14:44.379, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654859640_48155', total_run_time=5.46, event_count=0, result_count=0, available_count=0, scan_count=12576, drop_count=0, exec_time=1654859663, api_et=1654856040.000000000, api_lt=1654859640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654856040.000000000, search_lt=1654859664.891785000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=288, considered_events=12576, total_slices=747828, decompressed_slices=2814, duration.command.search.index=1126, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5816, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=124, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=251, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=61, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=253, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 11:11:13.663, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654859460_48089', total_run_time=5.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654859464, api_et=1654855860.000000000, api_lt=1654859460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654855860.000000000, search_lt=1654859467.017685000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_69a4ebe0c316c5ed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=74, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 11:10:43.281, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654859340_48056', total_run_time=27.84, event_count=0, result_count=0, available_count=0, scan_count=3984206, drop_count=0, exec_time=1654859345, api_et=1654855140.000000000, api_lt=1654858740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654855140.000000000, search_lt=1654858740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3175", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_336cd57a6289db81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=361, considered_events=3984206, total_slices=1066832, decompressed_slices=187763, duration.command.search.index=1734, invocations.command.search.index.bucketcache.hit=788, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30504, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=206, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 11:08:25.717, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654859220_48037', total_run_time=15.20, event_count=1239, result_count=59, available_count=0, scan_count=351387, drop_count=0, exec_time=1654859280, api_et=1654855620.000000000, api_lt=1654859220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654855620.000000000, search_lt=1654859282.562555000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=199, considered_events=355023, total_slices=599744, decompressed_slices=98087, duration.command.search.index=3412, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=26908, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=10, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=281980, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33653, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 11:07:55.707, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654859220_48032', total_run_time=4.93, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654859246, api_et=1654855620.000000000, api_lt=1654859220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654855620.000000000, search_lt=1654859248.914132000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2978", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1203bd2fc0b47432", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=688, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:45:12.035, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654857780_47565', total_run_time=34.40, event_count=0, result_count=0, available_count=0, scan_count=4329, drop_count=0, exec_time=1654857818, api_et=1654854180.000000000, api_lt=1654857780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654854180.000000000, search_lt=1654857820.879814000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2895", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2dbd119196e3fd6d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=4329, total_slices=992179, decompressed_slices=1536, duration.command.search.index=1637, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5352, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:34:10.052, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654857180_47356', total_run_time=42.03, event_count=0, result_count=0, available_count=0, scan_count=42687426, drop_count=0, exec_time=1654857205, api_et=1654853580.000000000, api_lt=1654857180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654853580.000000000, search_lt=1654857207.220762000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4014", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7406d03652aa3232", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1859, eliminated_buckets=133, considered_events=42687426, total_slices=14772899, decompressed_slices=4392310, duration.command.search.index=16220, invocations.command.search.index.bucketcache.hit=1858, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238069, invocations.command.search.rawdata.bucketcache.hit=307, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:16:43.780, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654856160_47008', total_run_time=8.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654856171, api_et=1654851960.000000000, api_lt=1654855560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654852560.000000000, search_lt=1654856173.025530000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3222", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_62fe41ee982ccab7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1060, eliminated_buckets=374, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1060, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:15:40.197, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654856040_46968', total_run_time=12.20, event_count=0, result_count=0, available_count=0, scan_count=18225, drop_count=0, exec_time=1654856063, api_et=1654852440.000000000, api_lt=1654856040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654852440.000000000, search_lt=1654856065.067373000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2943", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=283, considered_events=18337, total_slices=839003, decompressed_slices=3156, duration.command.search.index=1404, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7642, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=126, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=280, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=268, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 10:11:38.222, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654855860_46901', total_run_time=4.70, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654855864, api_et=1654852260.000000000, api_lt=1654855860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654852260.000000000, search_lt=1654855866.222488000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0cee8d86df6820b1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=54, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=64, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:10:06.980, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654855740_46869', total_run_time=26.59, event_count=0, result_count=0, available_count=0, scan_count=3996009, drop_count=0, exec_time=1654855745, api_et=1654851540.000000000, api_lt=1654855140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654851540.000000000, search_lt=1654855140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3226", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f031d2ff154001bb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=799, eliminated_buckets=375, considered_events=3996009, total_slices=1109252, decompressed_slices=185324, duration.command.search.index=1871, invocations.command.search.index.bucketcache.hit=798, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34257, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 10:08:37.367, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654855620_46850', total_run_time=29.32, event_count=1264, result_count=62, available_count=0, scan_count=366725, drop_count=0, exec_time=1654855680, api_et=1654852020.000000000, api_lt=1654855620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654852020.000000000, search_lt=1654855682.327985000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=202, considered_events=372350, total_slices=549426, decompressed_slices=107274, duration.command.search.index=5146, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=42890, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=294080, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 10:08:07.360, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654855620_46845', total_run_time=11.60, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654855646, api_et=1654852020.000000000, api_lt=1654855620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654852020.000000000, search_lt=1654855648.494009000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2878", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fb9387b828fa3cfd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1315, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:47:54.818, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654854180_46378', total_run_time=23.90, event_count=0, result_count=0, available_count=0, scan_count=3950, drop_count=0, exec_time=1654854217, api_et=1654850580.000000000, api_lt=1654854180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654850580.000000000, search_lt=1654854219.489071000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2351", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9885079e29bebe0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=3950, total_slices=948504, decompressed_slices=1324, duration.command.search.index=1073, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4891, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:34:24.607, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654853580_46172', total_run_time=44.51, event_count=0, result_count=0, available_count=0, scan_count=42512738, drop_count=0, exec_time=1654853605, api_et=1654849980.000000000, api_lt=1654853580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654849980.000000000, search_lt=1654853607.009491000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c0fde91ef2356c0e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1862, eliminated_buckets=133, considered_events=42512738, total_slices=14668670, decompressed_slices=4348696, duration.command.search.index=15068, invocations.command.search.index.bucketcache.hit=1861, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=237436, invocations.command.search.rawdata.bucketcache.hit=309, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:16:28.423, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654852560_45830', total_run_time=8.69, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654852570, api_et=1654848360.000000000, api_lt=1654851960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848960.000000000, search_lt=1654852572.599203000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3272", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f4f5e4345e98265f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=374, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=673, invocations.command.search.index.bucketcache.hit=1060, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:14:58.094, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654852440_45790', total_run_time=5.34, event_count=0, result_count=0, available_count=0, scan_count=17551, drop_count=0, exec_time=1654852463, api_et=1654848840.000000000, api_lt=1654852440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848840.000000000, search_lt=1654852465.507980000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2929", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=282, considered_events=17551, total_slices=826152, decompressed_slices=3821, duration.command.search.index=1042, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6121, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=164, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=357, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=85, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=114, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 09:11:15.112, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654852260_45722', total_run_time=5.20, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654852264, api_et=1654848660.000000000, api_lt=1654852260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848660.000000000, search_lt=1654852266.932709000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3093", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bffe1259f48e86dd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=62, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:10:48.640, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654852140_45687', total_run_time=19.66, event_count=0, result_count=0, available_count=0, scan_count=4092861, drop_count=0, exec_time=1654852145, api_et=1654847940.000000000, api_lt=1654851540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654847940.000000000, search_lt=1654851540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e0471a88419b505f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=789, eliminated_buckets=364, considered_events=4092861, total_slices=1143948, decompressed_slices=185690, duration.command.search.index=1621, invocations.command.search.index.bucketcache.hit=788, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30140, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:08:21.887, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654852020_45669', total_run_time=21.07, event_count=1302, result_count=59, available_count=0, scan_count=377300, drop_count=0, exec_time=1654852080, api_et=1654848420.000000000, api_lt=1654852020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848420.000000000, search_lt=1654852081.977739000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=196, considered_events=385832, total_slices=478785, decompressed_slices=107679, duration.command.search.index=3504, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30333, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=302790, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35213, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 09:07:51.887, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654852020_45664', total_run_time=7.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654852046, api_et=1654848420.000000000, api_lt=1654852020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654848420.000000000, search_lt=1654852048.419737000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2843", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5d49d02aaa3d90e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=196, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=952, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 09:00:43.319, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851540_45471', total_run_time=24.16, event_count=0, result_count=0, available_count=0, scan_count=22449774, drop_count=0, exec_time=1654851590, api_et=1654837140.000000000, api_lt=1654851540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837140.000000000, search_lt=1654851540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22449774, total_slices=1538187, decompressed_slices=384945, duration.command.search.index=7883, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59742, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12217075, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 09:00:42.131, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851480_45458', total_run_time=20.98, event_count=0, result_count=0, available_count=0, scan_count=22449624, drop_count=0, exec_time=1654851529, api_et=1654837080.000000000, api_lt=1654851480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837080.000000000, search_lt=1654851480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22449624, total_slices=1536394, decompressed_slices=384965, duration.command.search.index=8052, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58146, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12218180, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:58:27.605, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851420_45442', total_run_time=22.04, event_count=0, result_count=0, available_count=0, scan_count=22449646, drop_count=0, exec_time=1654851470, api_et=1654837020.000000000, api_lt=1654851420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837020.000000000, search_lt=1654851420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3186", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22449646, total_slices=1534637, decompressed_slices=385008, duration.command.search.index=7966, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59929, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12218871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:57:26.784, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851360_45424', total_run_time=16.50, event_count=0, result_count=0, available_count=0, scan_count=22449101, drop_count=0, exec_time=1654851409, api_et=1654836960.000000000, api_lt=1654851360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836960.000000000, search_lt=1654851360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3220", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22449101, total_slices=1532941, decompressed_slices=385025, duration.command.search.index=7397, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62003, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12219607, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:56:26.647, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851300_45413', total_run_time=21.29, event_count=0, result_count=0, available_count=0, scan_count=22447114, drop_count=0, exec_time=1654851349, api_et=1654836900.000000000, api_lt=1654851300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836900.000000000, search_lt=1654851300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3104", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22447114, total_slices=1531204, decompressed_slices=385099, duration.command.search.index=7939, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59450, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12221824, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:55:26.501, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851240_45396', total_run_time=17.48, event_count=0, result_count=0, available_count=0, scan_count=22445519, drop_count=0, exec_time=1654851289, api_et=1654836840.000000000, api_lt=1654851240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836840.000000000, search_lt=1654851240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22445519, total_slices=1529519, decompressed_slices=385163, duration.command.search.index=7813, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55065, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223777, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:54:27.511, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851180_45380', total_run_time=23.81, event_count=0, result_count=0, available_count=0, scan_count=22445777, drop_count=0, exec_time=1654851230, api_et=1654836780.000000000, api_lt=1654851180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836780.000000000, search_lt=1654851180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22445777, total_slices=1527725, decompressed_slices=385176, duration.command.search.index=7728, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58314, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:25.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850940_45292', total_run_time=40.90, event_count=0, result_count=0, available_count=0, scan_count=22443215, drop_count=0, exec_time=1654850989, api_et=1654836540.000000000, api_lt=1654850940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836540.000000000, search_lt=1654850940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22443215, total_slices=1520901, decompressed_slices=385339, duration.command.search.index=9535, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68651, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223801, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:25.819, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850820_45252', total_run_time=17.68, event_count=0, result_count=0, available_count=0, scan_count=22445967, drop_count=0, exec_time=1654850869, api_et=1654836420.000000000, api_lt=1654850820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836420.000000000, search_lt=1654850820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22445967, total_slices=1517342, decompressed_slices=385488, duration.command.search.index=8514, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59060, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12225846, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:25.269, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851120_45356', total_run_time=29.87, event_count=0, result_count=0, available_count=0, scan_count=22447403, drop_count=0, exec_time=1654851169, api_et=1654836720.000000000, api_lt=1654851120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836720.000000000, search_lt=1654851120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=22447403, total_slices=1525990, decompressed_slices=385323, duration.command.search.index=8402, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61097, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12222072, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:23.965, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851000_45315', total_run_time=23.67, event_count=0, result_count=0, available_count=0, scan_count=22444743, drop_count=0, exec_time=1654851050, api_et=1654836600.000000000, api_lt=1654851000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836600.000000000, search_lt=1654851000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22444743, total_slices=1522612, decompressed_slices=385376, duration.command.search.index=8493, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60216, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12224132, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:23.455, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654851060_45339', total_run_time=28.62, event_count=0, result_count=0, available_count=0, scan_count=22446732, drop_count=0, exec_time=1654851109, api_et=1654836660.000000000, api_lt=1654851060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836660.000000000, search_lt=1654851060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=1, considered_events=22446732, total_slices=1524362, decompressed_slices=385355, duration.command.search.index=8825, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63927, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12221935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:53:22.683, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850880_45269', total_run_time=35.43, event_count=0, result_count=0, available_count=0, scan_count=22444196, drop_count=0, exec_time=1654850929, api_et=1654836480.000000000, api_lt=1654850880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836480.000000000, search_lt=1654850880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=22444196, total_slices=1519016, decompressed_slices=385435, duration.command.search.index=8825, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60948, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12224719, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:47:05.009, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850760_45230', total_run_time=14.78, event_count=0, result_count=0, available_count=0, scan_count=22443115, drop_count=0, exec_time=1654850809, api_et=1654836360.000000000, api_lt=1654850760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836360.000000000, search_lt=1654850760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22443115, total_slices=1515701, decompressed_slices=385480, duration.command.search.index=7805, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56103, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12224843, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:46:36.027, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850700_45212', total_run_time=20.50, event_count=0, result_count=0, available_count=0, scan_count=22439027, drop_count=0, exec_time=1654850749, api_et=1654836300.000000000, api_lt=1654850700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836300.000000000, search_lt=1654850700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2585", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22439027, total_slices=1513987, decompressed_slices=385481, duration.command.search.index=7700, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61797, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223810, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:45:21.463, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850640_45190', total_run_time=15.30, event_count=0, result_count=0, available_count=0, scan_count=22436615, drop_count=0, exec_time=1654850690, api_et=1654836240.000000000, api_lt=1654850640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836240.000000000, search_lt=1654850640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3165", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22436615, total_slices=1512312, decompressed_slices=385426, duration.command.search.index=7726, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59073, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223708, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:55.019, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850520_45140', total_run_time=17.95, event_count=0, result_count=0, available_count=0, scan_count=22438025, drop_count=0, exec_time=1654850569, api_et=1654836120.000000000, api_lt=1654850520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836120.000000000, search_lt=1654850520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22438025, total_slices=1508862, decompressed_slices=385523, duration.command.search.index=8027, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60756, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:54.723, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850280_45054', total_run_time=14.23, event_count=0, result_count=0, available_count=0, scan_count=22437247, drop_count=0, exec_time=1654850329, api_et=1654835880.000000000, api_lt=1654850280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835880.000000000, search_lt=1654850280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22437247, total_slices=1502058, decompressed_slices=385749, duration.command.search.index=7806, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58775, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12225651, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:53.855, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850580_45169', total_run_time=24.80, event_count=0, result_count=0, available_count=0, scan_count=22436631, drop_count=0, exec_time=1654850629, api_et=1654836180.000000000, api_lt=1654850580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836180.000000000, search_lt=1654850580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3075", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22436631, total_slices=1510570, decompressed_slices=385412, duration.command.search.index=7925, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61277, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223914, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:53.661, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850220_45040', total_run_time=26.81, event_count=0, result_count=0, available_count=0, scan_count=22440919, drop_count=0, exec_time=1654850269, api_et=1654835820.000000000, api_lt=1654850220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835820.000000000, search_lt=1654850220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22440919, total_slices=1500275, decompressed_slices=385825, duration.command.search.index=7961, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59268, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12228028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:53.433, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850460_45117', total_run_time=23.42, event_count=0, result_count=0, available_count=0, scan_count=22434345, drop_count=0, exec_time=1654850509, api_et=1654836060.000000000, api_lt=1654850460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836060.000000000, search_lt=1654850460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22434345, total_slices=1507242, decompressed_slices=385484, duration.command.search.index=8352, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63034, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12222357, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:53.356, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850340_45070', total_run_time=27.48, event_count=0, result_count=0, available_count=0, scan_count=22435783, drop_count=0, exec_time=1654850389, api_et=1654835940.000000000, api_lt=1654850340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835940.000000000, search_lt=1654850340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22435783, total_slices=1503749, decompressed_slices=385656, duration.command.search.index=8067, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59834, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223869, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:52.563, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850400_45091', total_run_time=27.44, event_count=0, result_count=0, available_count=0, scan_count=22435555, drop_count=0, exec_time=1654850449, api_et=1654836000.000000000, api_lt=1654850400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836000.000000000, search_lt=1654850400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22435555, total_slices=1505466, decompressed_slices=385579, duration.command.search.index=8223, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60299, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12222940, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:44:52.384, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654850580_45166', total_run_time=35.50, event_count=0, result_count=0, available_count=0, scan_count=3936, drop_count=0, exec_time=1654850618, api_et=1654846980.000000000, api_lt=1654850580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654846980.000000000, search_lt=1654850620.731221000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_862cb12123d2bfe4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=3936, total_slices=981319, decompressed_slices=1303, duration.command.search.index=1144, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5037, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:37:24.008, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850160_45025', total_run_time=18.50, event_count=0, result_count=0, available_count=0, scan_count=22439375, drop_count=0, exec_time=1654850210, api_et=1654835760.000000000, api_lt=1654850160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835760.000000000, search_lt=1654850160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22439375, total_slices=1498578, decompressed_slices=385882, duration.command.search.index=7936, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59782, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12226607, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:36:22.380, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850100_45015', total_run_time=15.13, event_count=0, result_count=0, available_count=0, scan_count=22440264, drop_count=0, exec_time=1654850150, api_et=1654835700.000000000, api_lt=1654850100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835700.000000000, search_lt=1654850100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2969", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22440264, total_slices=1496882, decompressed_slices=386036, duration.command.search.index=7947, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58681, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12227856, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:35:24.086, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654850040_44994', total_run_time=18.80, event_count=0, result_count=0, available_count=0, scan_count=22438721, drop_count=0, exec_time=1654850090, api_et=1654835640.000000000, api_lt=1654850040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835640.000000000, search_lt=1654850040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=22438721, total_slices=1495069, decompressed_slices=386013, duration.command.search.index=8332, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60596, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12229101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:34:52.478, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849980_44958', total_run_time=42.14, event_count=0, result_count=0, available_count=0, scan_count=22439298, drop_count=0, exec_time=1654850029, api_et=1654835580.000000000, api_lt=1654849980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835580.000000000, search_lt=1654849980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22439298, total_slices=1493077, decompressed_slices=386067, duration.command.search.index=9543, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71943, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12230092, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:34:22.136, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654849980_44946', total_run_time=52.70, event_count=0, result_count=0, available_count=0, scan_count=42562470, drop_count=0, exec_time=1654850006, api_et=1654846380.000000000, api_lt=1654849980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654846380.000000000, search_lt=1654850008.302434000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d1043790aebdd76b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1862, eliminated_buckets=133, considered_events=42562470, total_slices=14609431, decompressed_slices=4342856, duration.command.search.index=14880, invocations.command.search.index.bucketcache.hit=1862, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=244383, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:33:52.492, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849920_44922', total_run_time=37.75, event_count=0, result_count=0, available_count=0, scan_count=22439908, drop_count=0, exec_time=1654849970, api_et=1654835520.000000000, api_lt=1654849920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835520.000000000, search_lt=1654849920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22439908, total_slices=1491755, decompressed_slices=386121, duration.command.search.index=9089, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70146, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12230424, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:32:21.861, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849860_44893', total_run_time=26.56, event_count=0, result_count=0, available_count=0, scan_count=22440189, drop_count=0, exec_time=1654849909, api_et=1654835460.000000000, api_lt=1654849860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835460.000000000, search_lt=1654849860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3162", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22440189, total_slices=1490046, decompressed_slices=386181, duration.command.search.index=8957, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66497, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12231092, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:32:20.938, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849680_44822', total_run_time=19.72, event_count=0, result_count=0, available_count=0, scan_count=22447927, drop_count=0, exec_time=1654849729, api_et=1654835280.000000000, api_lt=1654849680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835280.000000000, search_lt=1654849680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22447927, total_slices=1484789, decompressed_slices=386363, duration.command.search.index=7984, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58594, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12238386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:32:20.780, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849620_44808', total_run_time=17.66, event_count=0, result_count=0, available_count=0, scan_count=22449890, drop_count=0, exec_time=1654849669, api_et=1654835220.000000000, api_lt=1654849620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835220.000000000, search_lt=1654849620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22449890, total_slices=1483001, decompressed_slices=386315, duration.command.search.index=7861, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60470, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12239430, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:32:20.004, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849740_44836', total_run_time=14.87, event_count=0, result_count=0, available_count=0, scan_count=22442369, drop_count=0, exec_time=1654849790, api_et=1654835340.000000000, api_lt=1654849740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835340.000000000, search_lt=1654849740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22442369, total_slices=1486598, decompressed_slices=386347, duration.command.search.index=7707, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59551, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12235518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:32:19.098, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849800_44865', total_run_time=33.20, event_count=0, result_count=0, available_count=0, scan_count=22441267, drop_count=0, exec_time=1654849849, api_et=1654835400.000000000, api_lt=1654849800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835400.000000000, search_lt=1654849800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22441267, total_slices=1488346, decompressed_slices=386231, duration.command.search.index=9785, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68865, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12232526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:27:11.079, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849560_44790', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=22449371, drop_count=0, exec_time=1654849610, api_et=1654835160.000000000, api_lt=1654849560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835160.000000000, search_lt=1654849560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2552", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22449371, total_slices=1481379, decompressed_slices=386339, duration.command.search.index=7855, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58074, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12239432, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:26:11.314, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849500_44774', total_run_time=17.40, event_count=0, result_count=0, available_count=0, scan_count=22449485, drop_count=0, exec_time=1654849549, api_et=1654835100.000000000, api_lt=1654849500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835100.000000000, search_lt=1654849500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22449485, total_slices=1479721, decompressed_slices=386394, duration.command.search.index=7808, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57279, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12241650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:25:11.144, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849440_44761', total_run_time=16.37, event_count=0, result_count=0, available_count=0, scan_count=22446577, drop_count=0, exec_time=1654849490, api_et=1654835040.000000000, api_lt=1654849440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835040.000000000, search_lt=1654849440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22446577, total_slices=1477988, decompressed_slices=386429, duration.command.search.index=8045, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56435, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12240737, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:24:11.268, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849380_44742', total_run_time=20.69, event_count=0, result_count=0, available_count=0, scan_count=22444884, drop_count=0, exec_time=1654849429, api_et=1654834980.000000000, api_lt=1654849380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834980.000000000, search_lt=1654849380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2533", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22444884, total_slices=1476210, decompressed_slices=386444, duration.command.search.index=8069, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57617, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12240937, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:23:41.296, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849320_44709', total_run_time=26.06, event_count=0, result_count=0, available_count=0, scan_count=22446071, drop_count=0, exec_time=1654849369, api_et=1654834920.000000000, api_lt=1654849320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834920.000000000, search_lt=1654849320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22446071, total_slices=1474502, decompressed_slices=386506, duration.command.search.index=8498, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59240, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12241639, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:22:41.074, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849260_44693', total_run_time=22.37, event_count=0, result_count=0, available_count=0, scan_count=22442840, drop_count=0, exec_time=1654849309, api_et=1654834860.000000000, api_lt=1654849260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834860.000000000, search_lt=1654849260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22442840, total_slices=1472842, decompressed_slices=386552, duration.command.search.index=8389, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63615, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12239519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:21:41.502, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849200_44663', total_run_time=24.44, event_count=0, result_count=0, available_count=0, scan_count=22438723, drop_count=0, exec_time=1654849249, api_et=1654834800.000000000, api_lt=1654849200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834800.000000000, search_lt=1654849200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22438723, total_slices=1471140, decompressed_slices=386607, duration.command.search.index=8370, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60556, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12237386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:21:41.394, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654849200_44666', total_run_time=29.22, event_count=12237386, result_count=15, available_count=0, scan_count=22438723, drop_count=0, exec_time=1654849257, api_et=1654834800.000000000, api_lt=1654849200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834800.000000000, search_lt=1654849200.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22438723, total_slices=1471321, decompressed_slices=386607, duration.command.search.index=8215, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61261, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12237386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:20:11.199, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849140_44639', total_run_time=13.47, event_count=0, result_count=0, available_count=0, scan_count=22432812, drop_count=0, exec_time=1654849189, api_et=1654834740.000000000, api_lt=1654849140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834740.000000000, search_lt=1654849140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22432812, total_slices=1469449, decompressed_slices=386584, duration.command.search.index=8042, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56573, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12235174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:19:11.177, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849080_44613', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=22430628, drop_count=0, exec_time=1654849129, api_et=1654834680.000000000, api_lt=1654849080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834680.000000000, search_lt=1654849080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22430628, total_slices=1467680, decompressed_slices=386637, duration.command.search.index=8912, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60073, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12232910, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:18:11.303, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654849020_44593', total_run_time=14.20, event_count=0, result_count=0, available_count=0, scan_count=22427377, drop_count=0, exec_time=1654849069, api_et=1654834620.000000000, api_lt=1654849020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834620.000000000, search_lt=1654849020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22427377, total_slices=1465843, decompressed_slices=386597, duration.command.search.index=8108, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57259, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12229586, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:17:11.546, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848960_44568', total_run_time=17.16, event_count=0, result_count=0, available_count=0, scan_count=22424263, drop_count=0, exec_time=1654849009, api_et=1654834560.000000000, api_lt=1654848960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834560.000000000, search_lt=1654848960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22424263, total_slices=1464218, decompressed_slices=386643, duration.command.search.index=8920, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64971, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12228158, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:16:41.419, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654848960_44562', total_run_time=7.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654848970, api_et=1654844760.000000000, api_lt=1654848360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654845360.000000000, search_lt=1654848972.189507000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3193", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7d00eb873eced738", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=375, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=734, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:16:11.112, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848900_44551', total_run_time=12.76, event_count=0, result_count=0, available_count=0, scan_count=22419747, drop_count=0, exec_time=1654848949, api_et=1654834500.000000000, api_lt=1654848900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834500.000000000, search_lt=1654848900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22419747, total_slices=1462472, decompressed_slices=386643, duration.command.search.index=7657, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55717, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12225381, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:15:11.304, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848840_44532', total_run_time=16.08, event_count=0, result_count=0, available_count=0, scan_count=22412648, drop_count=0, exec_time=1654848890, api_et=1654834440.000000000, api_lt=1654848840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834440.000000000, search_lt=1654848840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22412648, total_slices=1460830, decompressed_slices=386618, duration.command.search.index=7611, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59301, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12223074, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:14:30.909, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654848840_44519', total_run_time=5.39, event_count=0, result_count=0, available_count=0, scan_count=15155, drop_count=0, exec_time=1654848863, api_et=1654845240.000000000, api_lt=1654848840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654845240.000000000, search_lt=1654848865.792933000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=284, considered_events=15766, total_slices=765234, decompressed_slices=3139, duration.command.search.index=1119, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5758, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=53, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=83, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=214, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=152, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 08:14:11.366, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848720_44481', total_run_time=16.27, event_count=0, result_count=0, available_count=0, scan_count=22405776, drop_count=0, exec_time=1654848769, api_et=1654834320.000000000, api_lt=1654848720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834320.000000000, search_lt=1654848720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22405776, total_slices=1457339, decompressed_slices=386645, duration.command.search.index=8158, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58443, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12217842, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:14:10.599, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848780_44509', total_run_time=16.63, event_count=0, result_count=0, available_count=0, scan_count=22409079, drop_count=0, exec_time=1654848829, api_et=1654834380.000000000, api_lt=1654848780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834380.000000000, search_lt=1654848780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22409079, total_slices=1459050, decompressed_slices=386683, duration.command.search.index=8086, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58633, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12219715, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:12:37.646, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848660_44462', total_run_time=24.01, event_count=0, result_count=0, available_count=0, scan_count=22401621, drop_count=0, exec_time=1654848709, api_et=1654834260.000000000, api_lt=1654848660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834260.000000000, search_lt=1654848660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22401621, total_slices=1455632, decompressed_slices=386629, duration.command.search.index=8337, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66713, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12214318, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:11:23.256, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848600_44437', total_run_time=25.83, event_count=0, result_count=0, available_count=0, scan_count=22398835, drop_count=0, exec_time=1654848650, api_et=1654834200.000000000, api_lt=1654848600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834200.000000000, search_lt=1654848600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22398835, total_slices=1453985, decompressed_slices=386721, duration.command.search.index=8122, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63861, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12212233, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:11:23.218, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654848660_44445', total_run_time=5.81, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654848665, api_et=1654845060.000000000, api_lt=1654848660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654845060.000000000, search_lt=1654848667.683286000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3317", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bdf74083d554b6c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=64, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:10:54.892, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848480_44402', total_run_time=25.80, event_count=0, result_count=0, available_count=0, scan_count=22393169, drop_count=0, exec_time=1654848529, api_et=1654834080.000000000, api_lt=1654848480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834080.000000000, search_lt=1654848480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22393169, total_slices=1450531, decompressed_slices=386739, duration.command.search.index=8407, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63713, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12208302, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:10:54.680, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654848540_44410', total_run_time=17.65, event_count=0, result_count=0, available_count=0, scan_count=3956671, drop_count=0, exec_time=1654848546, api_et=1654844340.000000000, api_lt=1654847940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654844340.000000000, search_lt=1654847940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3121", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8371e568684acec4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=789, eliminated_buckets=366, considered_events=3956671, total_slices=1048425, decompressed_slices=179403, duration.command.search.index=1674, invocations.command.search.index.bucketcache.hit=787, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29466, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=72, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:10:54.624, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848420_44386', total_run_time=28.05, event_count=0, result_count=0, available_count=0, scan_count=22392750, drop_count=0, exec_time=1654848469, api_et=1654834020.000000000, api_lt=1654848420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834020.000000000, search_lt=1654848420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22392750, total_slices=1448741, decompressed_slices=386694, duration.command.search.index=8778, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64495, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12207790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:10:54.583, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654848420_44394', total_run_time=27.39, event_count=1290, result_count=59, available_count=0, scan_count=381560, drop_count=0, exec_time=1654848484, api_et=1654844820.000000000, api_lt=1654848420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654844820.000000000, search_lt=1654848486.113238000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=389319, total_slices=548340, decompressed_slices=109078, duration.command.search.index=4053, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32622, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=310057, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34686, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 08:10:54.125, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848540_44418', total_run_time=23.47, event_count=0, result_count=0, available_count=0, scan_count=22395893, drop_count=0, exec_time=1654848590, api_et=1654834140.000000000, api_lt=1654848540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834140.000000000, search_lt=1654848540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22395893, total_slices=1452285, decompressed_slices=386782, duration.command.search.index=8393, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60537, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12211151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:07:59.542, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654848420_44381', total_run_time=11.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654848446, api_et=1654844820.000000000, api_lt=1654848420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654844820.000000000, search_lt=1654848448.350610000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2812", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_193fbf04cdbb3691", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1002, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 08:07:29.680, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848360_44364', total_run_time=22.39, event_count=0, result_count=0, available_count=0, scan_count=22389957, drop_count=0, exec_time=1654848410, api_et=1654833960.000000000, api_lt=1654848360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833960.000000000, search_lt=1654848360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22389957, total_slices=1447118, decompressed_slices=386687, duration.command.search.index=8358, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63156, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12206422, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:06:29.605, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848300_44350', total_run_time=22.87, event_count=0, result_count=0, available_count=0, scan_count=22385243, drop_count=0, exec_time=1654848350, api_et=1654833900.000000000, api_lt=1654848300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833900.000000000, search_lt=1654848300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3146", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22385243, total_slices=1445402, decompressed_slices=386761, duration.command.search.index=8588, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63588, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12204506, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:05:29.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848240_44333', total_run_time=29.53, event_count=0, result_count=0, available_count=0, scan_count=22378961, drop_count=0, exec_time=1654848290, api_et=1654833840.000000000, api_lt=1654848240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833840.000000000, search_lt=1654848240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2935", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22378961, total_slices=1443711, decompressed_slices=386688, duration.command.search.index=9074, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77053, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12200771, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:04:29.557, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848180_44291', total_run_time=34.90, event_count=0, result_count=0, available_count=0, scan_count=22373753, drop_count=0, exec_time=1654848229, api_et=1654833780.000000000, api_lt=1654848180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833780.000000000, search_lt=1654848180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22373753, total_slices=1441376, decompressed_slices=386643, duration.command.search.index=10840, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87329, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12194769, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:03:59.557, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848120_44244', total_run_time=40.11, event_count=0, result_count=0, available_count=0, scan_count=22370614, drop_count=0, exec_time=1654848170, api_et=1654833720.000000000, api_lt=1654848120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833720.000000000, search_lt=1654848120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22370614, total_slices=1440276, decompressed_slices=386603, duration.command.search.index=10300, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85046, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12193306, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:02:29.549, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848060_44213', total_run_time=26.94, event_count=0, result_count=0, available_count=0, scan_count=22364538, drop_count=0, exec_time=1654848109, api_et=1654833660.000000000, api_lt=1654848060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833660.000000000, search_lt=1654848060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=22364538, total_slices=1438565, decompressed_slices=386626, duration.command.search.index=9748, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73975, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12190566, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 08:01:29.976, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654848000_44183', total_run_time=27.35, event_count=0, result_count=0, available_count=0, scan_count=22355855, drop_count=0, exec_time=1654848050, api_et=1654833600.000000000, api_lt=1654848000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833600.000000000, search_lt=1654848000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=22355855, total_slices=1462236, decompressed_slices=386614, duration.command.search.index=10357, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80026, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12186868, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 07:44:26.196, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654846980_43865', total_run_time=30.63, event_count=0, result_count=0, available_count=0, scan_count=3803, drop_count=0, exec_time=1654847018, api_et=1654843380.000000000, api_lt=1654846980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654843380.000000000, search_lt=1654847020.204045000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f3292435121f9dab", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3803, total_slices=1033526, decompressed_slices=1189, duration.command.search.index=1131, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5097, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 07:35:58.878, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654846380_43657', total_run_time=45.72, event_count=0, result_count=0, available_count=0, scan_count=42499220, drop_count=0, exec_time=1654846405, api_et=1654842780.000000000, api_lt=1654846380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654842780.000000000, search_lt=1654846407.348359000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ef0263881471b92a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=133, considered_events=42499220, total_slices=14693115, decompressed_slices=4327233, duration.command.search.index=15169, invocations.command.search.index.bucketcache.hit=1868, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=247816, invocations.command.search.rawdata.bucketcache.hit=308, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 07:16:41.273, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654845360_43318', total_run_time=9.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654845370, api_et=1654841160.000000000, api_lt=1654844760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654841760.000000000, search_lt=1654845373.044764000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5586ade7cbe407ee", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1058, eliminated_buckets=377, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=703, invocations.command.search.index.bucketcache.hit=1058, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 07:14:42.211, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654845240_43278', total_run_time=6.57, event_count=0, result_count=0, available_count=0, scan_count=19430, drop_count=0, exec_time=1654845263, api_et=1654841640.000000000, api_lt=1654845240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654841640.000000000, search_lt=1654845265.130586000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=291, considered_events=19873, total_slices=732190, decompressed_slices=3785, duration.command.search.index=1375, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6513, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=129, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=311, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=71, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=16, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=127, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 07:11:10.146, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654845060_43212', total_run_time=5.03, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654845065, api_et=1654841460.000000000, api_lt=1654845060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654841460.000000000, search_lt=1654845067.080946000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3124", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e6a64472ccfcdacc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 07:10:40.649, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654844820_43168', total_run_time=18.35, event_count=1240, result_count=66, available_count=0, scan_count=363441, drop_count=0, exec_time=1654844884, api_et=1654841220.000000000, api_lt=1654844820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654841220.000000000, search_lt=1654844886.193567000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2797", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=195, considered_events=370935, total_slices=638779, decompressed_slices=118541, duration.command.search.index=3791, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31061, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=294769, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30742, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 07:10:40.553, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654844820_43158', total_run_time=9.06, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654844846, api_et=1654841220.000000000, api_lt=1654844820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654841220.000000000, search_lt=1654844847.886051000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bda1642c3cdac0bb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=195, considered_events=1, total_slices=7602, decompressed_slices=1, duration.command.search.index=850, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 07:10:39.886, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654844940_43181', total_run_time=21.32, event_count=0, result_count=0, available_count=0, scan_count=4275343, drop_count=0, exec_time=1654844946, api_et=1654840740.000000000, api_lt=1654844340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654840740.000000000, search_lt=1654844340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3257", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7071c31ac92feacf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=788, eliminated_buckets=360, considered_events=4275343, total_slices=1036311, decompressed_slices=187029, duration.command.search.index=1767, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31193, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:44:50.587, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654843380_42696', total_run_time=39.12, event_count=0, result_count=0, available_count=0, scan_count=3490, drop_count=0, exec_time=1654843418, api_et=1654839780.000000000, api_lt=1654843380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654839780.000000000, search_lt=1654843420.589207000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2901", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e1b0105d2bd354ec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3490, total_slices=839001, decompressed_slices=1105, duration.command.search.index=1372, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5600, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:35:25.855, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654842780_42487', total_run_time=88.15, event_count=0, result_count=0, available_count=0, scan_count=42116358, drop_count=0, exec_time=1654842805, api_et=1654839180.000000000, api_lt=1654842780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654839180.000000000, search_lt=1654842807.549256000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3666", has_error_msg=false, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_da75102a1f80a29f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1866, eliminated_buckets=132, considered_events=42116358, total_slices=14734746, decompressed_slices=4297144, duration.command.search.index=26695, invocations.command.search.index.bucketcache.hit=1866, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=313059, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:16:46.869, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654841760_42136', total_run_time=11.86, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654841770, api_et=1654837560.000000000, api_lt=1654841160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654838160.000000000, search_lt=1654841772.564728000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3230", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_03f48e2a98f1385b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=377, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=861, invocations.command.search.index.bucketcache.hit=1061, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:14:46.875, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654841640_42096', total_run_time=6.55, event_count=0, result_count=0, available_count=0, scan_count=14376, drop_count=0, exec_time=1654841663, api_et=1654838040.000000000, api_lt=1654841640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654838040.000000000, search_lt=1654841665.728669000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2844", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=286, considered_events=14445, total_slices=654082, decompressed_slices=2863, duration.command.search.index=1033, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6040, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=98, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=237, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=185, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 06:11:23.242, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654841460_42029', total_run_time=5.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654841464, api_et=1654837860.000000000, api_lt=1654841460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837860.000000000, search_lt=1654841466.172810000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_87593b6e080ee452", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=60, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:11:23.225, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654841340_41996', total_run_time=22.89, event_count=0, result_count=0, available_count=0, scan_count=4231873, drop_count=0, exec_time=1654841345, api_et=1654837140.000000000, api_lt=1654840740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837140.000000000, search_lt=1654840740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2936", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2abb5e9bf98fcd96", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=792, eliminated_buckets=366, considered_events=4231873, total_slices=1054119, decompressed_slices=200082, duration.command.search.index=1774, invocations.command.search.index.bucketcache.hit=787, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32505, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=134, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 06:11:22.010, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654841220_41976', total_run_time=15.33, event_count=1209, result_count=59, available_count=0, scan_count=356574, drop_count=0, exec_time=1654841280, api_et=1654837620.000000000, api_lt=1654841220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837620.000000000, search_lt=1654841281.923834000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=364215, total_slices=655412, decompressed_slices=96537, duration.command.search.index=3739, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28940, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=292940, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30509, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 06:07:42.734, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654841220_41971', total_run_time=11.16, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654841246, api_et=1654837620.000000000, api_lt=1654841220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654837620.000000000, search_lt=1654841248.398367000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ff2d4f6c411df4cf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=886, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:44:12.472, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654839780_41505', total_run_time=21.45, event_count=0, result_count=0, available_count=0, scan_count=4289, drop_count=0, exec_time=1654839818, api_et=1654836180.000000000, api_lt=1654839780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654836180.000000000, search_lt=1654839820.229625000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2319", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d30c53e7ed6c24e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=4289, total_slices=1014606, decompressed_slices=1609, duration.command.search.index=1075, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5096, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:38:00.235, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654839180_41300', total_run_time=40.34, event_count=0, result_count=0, available_count=0, scan_count=41793061, drop_count=0, exec_time=1654839205, api_et=1654835580.000000000, api_lt=1654839180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654835580.000000000, search_lt=1654839207.108109000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8267158a171f47d1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=132, considered_events=41793061, total_slices=14686394, decompressed_slices=4250533, duration.command.search.index=14816, invocations.command.search.index.bucketcache.hit=1870, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230446, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:16:27.270, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654838160_40952', total_run_time=6.36, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654838170, api_et=1654833960.000000000, api_lt=1654837560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834560.000000000, search_lt=1654838172.605476000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3180", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f07faa3a45287bec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=376, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=642, invocations.command.search.index.bucketcache.hit=1060, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:14:57.086, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654838040_40911', total_run_time=16.68, event_count=0, result_count=0, available_count=0, scan_count=12877, drop_count=0, exec_time=1654838063, api_et=1654834440.000000000, api_lt=1654838040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834440.000000000, search_lt=1654838065.432392000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3004", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=283, considered_events=12902, total_slices=579434, decompressed_slices=2633, duration.command.search.index=1327, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=9112, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=37, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=150, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=374, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=87, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=134, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 05:11:27.331, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654837860_40845', total_run_time=4.95, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654837865, api_et=1654834260.000000000, api_lt=1654837860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834260.000000000, search_lt=1654837866.836717000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_95ee7ca830b57130", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:10:16.295, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654837740_40814', total_run_time=69.35, event_count=0, result_count=0, available_count=0, scan_count=3541106, drop_count=0, exec_time=1654837745, api_et=1654833540.000000000, api_lt=1654837140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654833540.000000000, search_lt=1654837140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1bfa28d47b89af3f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=810, eliminated_buckets=386, considered_events=3541106, total_slices=1049493, decompressed_slices=251750, duration.command.search.index=2558, invocations.command.search.index.bucketcache.hit=810, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57676, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=60, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:09:54.086, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654837620_40796', total_run_time=34.87, event_count=1285, result_count=60, available_count=0, scan_count=369396, drop_count=0, exec_time=1654837680, api_et=1654834020.000000000, api_lt=1654837620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834020.000000000, search_lt=1654837682.828044000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3094", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=375385, total_slices=647433, decompressed_slices=100851, duration.command.search.index=9517, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116368, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=300770, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33299, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 05:09:53.527, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654837620_40790', total_run_time=26.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654837646, api_et=1654834020.000000000, api_lt=1654837620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654834020.000000000, search_lt=1654837648.553050000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2797", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4346cd4f3f37fb27", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=3115, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 05:00:34.028, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654837140_40595', total_run_time=14.38, event_count=0, result_count=0, available_count=0, scan_count=22015188, drop_count=0, exec_time=1654837190, api_et=1654822740.000000000, api_lt=1654837140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822740.000000000, search_lt=1654837140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3167", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22015188, total_slices=1149510, decompressed_slices=406924, duration.command.search.index=7821, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61745, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11853938, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:59:04.071, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654837080_40582', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=22021182, drop_count=0, exec_time=1654837129, api_et=1654822680.000000000, api_lt=1654837080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822680.000000000, search_lt=1654837080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3124", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22021182, total_slices=1147887, decompressed_slices=407088, duration.command.search.index=8216, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58780, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11853422, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:58:17.560, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654837020_40566', total_run_time=12.80, event_count=0, result_count=0, available_count=0, scan_count=22025327, drop_count=0, exec_time=1654837069, api_et=1654822620.000000000, api_lt=1654837020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822620.000000000, search_lt=1654837020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22025327, total_slices=1146066, decompressed_slices=407201, duration.command.search.index=7974, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58599, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11851480, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:57:04.039, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836960_40549', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=22031296, drop_count=0, exec_time=1654837009, api_et=1654822560.000000000, api_lt=1654836960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822560.000000000, search_lt=1654836960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22031296, total_slices=1144257, decompressed_slices=407316, duration.command.search.index=8038, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57324, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11851080, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:56:34.248, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836900_40538', total_run_time=16.07, event_count=0, result_count=0, available_count=0, scan_count=22037850, drop_count=0, exec_time=1654836949, api_et=1654822500.000000000, api_lt=1654836900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822500.000000000, search_lt=1654836900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5226", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22037850, total_slices=1142559, decompressed_slices=407348, duration.command.search.index=8219, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58966, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850046, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:55:19.495, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836840_40523', total_run_time=13.01, event_count=0, result_count=0, available_count=0, scan_count=22043066, drop_count=0, exec_time=1654836889, api_et=1654822440.000000000, api_lt=1654836840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822440.000000000, search_lt=1654836840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22043066, total_slices=1140707, decompressed_slices=407426, duration.command.search.index=8441, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55962, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11849505, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:54:50.034, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836780_40506', total_run_time=13.13, event_count=0, result_count=0, available_count=0, scan_count=22045830, drop_count=0, exec_time=1654836829, api_et=1654822380.000000000, api_lt=1654836780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822380.000000000, search_lt=1654836780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3047", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22045830, total_slices=1138811, decompressed_slices=407524, duration.command.search.index=8386, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56317, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848755, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:54:49.648, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836720_40482', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=22048653, drop_count=0, exec_time=1654836769, api_et=1654822320.000000000, api_lt=1654836720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822320.000000000, search_lt=1654836720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22048653, total_slices=1136970, decompressed_slices=407609, duration.command.search.index=8842, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62269, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848619, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:52:18.703, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836660_40465', total_run_time=13.03, event_count=0, result_count=0, available_count=0, scan_count=22055223, drop_count=0, exec_time=1654836709, api_et=1654822260.000000000, api_lt=1654836660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822260.000000000, search_lt=1654836660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22055223, total_slices=1135172, decompressed_slices=407790, duration.command.search.index=8346, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57619, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11849384, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:51:20.110, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836600_40441', total_run_time=14.76, event_count=0, result_count=0, available_count=0, scan_count=22061840, drop_count=0, exec_time=1654836649, api_et=1654822200.000000000, api_lt=1654836600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822200.000000000, search_lt=1654836600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22061840, total_slices=1133368, decompressed_slices=407947, duration.command.search.index=8505, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60692, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847365, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:50:18.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836540_40417', total_run_time=13.59, event_count=0, result_count=0, available_count=0, scan_count=22064847, drop_count=0, exec_time=1654836590, api_et=1654822140.000000000, api_lt=1654836540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822140.000000000, search_lt=1654836540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22064847, total_slices=1131651, decompressed_slices=408007, duration.command.search.index=8372, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58894, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11845837, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:49:20.000, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836480_40396', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=22070900, drop_count=0, exec_time=1654836529, api_et=1654822080.000000000, api_lt=1654836480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822080.000000000, search_lt=1654836480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22070900, total_slices=1129654, decompressed_slices=408190, duration.command.search.index=8584, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59843, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11845823, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:48:19.249, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836420_40379', total_run_time=13.25, event_count=0, result_count=0, available_count=0, scan_count=22074917, drop_count=0, exec_time=1654836469, api_et=1654822020.000000000, api_lt=1654836420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822020.000000000, search_lt=1654836420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22074917, total_slices=1127868, decompressed_slices=408256, duration.command.search.index=8377, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58865, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11844446, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:47:18.612, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836360_40358', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=22082665, drop_count=0, exec_time=1654836409, api_et=1654821960.000000000, api_lt=1654836360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821960.000000000, search_lt=1654836360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2756", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22082665, total_slices=1126129, decompressed_slices=408400, duration.command.search.index=8070, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56606, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11845975, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:46:19.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836300_40340', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=22092725, drop_count=0, exec_time=1654836349, api_et=1654821900.000000000, api_lt=1654836300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821900.000000000, search_lt=1654836300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22092725, total_slices=1124281, decompressed_slices=408557, duration.command.search.index=8153, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60243, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848229, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:45:18.917, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836240_40317', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=22100015, drop_count=0, exec_time=1654836290, api_et=1654821840.000000000, api_lt=1654836240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821840.000000000, search_lt=1654836240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3047", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22100015, total_slices=1122574, decompressed_slices=408690, duration.command.search.index=8250, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59807, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847759, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:44:20.339, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836180_40296', total_run_time=13.09, event_count=0, result_count=0, available_count=0, scan_count=22108513, drop_count=0, exec_time=1654836230, api_et=1654821780.000000000, api_lt=1654836180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821780.000000000, search_lt=1654836180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3123", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22108513, total_slices=1146648, decompressed_slices=408769, duration.command.search.index=8169, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57899, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848346, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:44:20.312, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654836180_40293', total_run_time=21.98, event_count=0, result_count=0, available_count=0, scan_count=3487, drop_count=0, exec_time=1654836218, api_et=1654832580.000000000, api_lt=1654836180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654832580.000000000, search_lt=1654836220.471473000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3121", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4cc11da13a243c22", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=3487, total_slices=985525, decompressed_slices=1251, duration.command.search.index=1097, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4990, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:43:42.479, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836120_40268', total_run_time=14.43, event_count=0, result_count=0, available_count=0, scan_count=22114293, drop_count=0, exec_time=1654836170, api_et=1654821720.000000000, api_lt=1654836120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821720.000000000, search_lt=1654836120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3151", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22114293, total_slices=1144903, decompressed_slices=408790, duration.command.search.index=8690, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60406, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:42:20.659, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836060_40245', total_run_time=16.76, event_count=0, result_count=0, available_count=0, scan_count=22128107, drop_count=0, exec_time=1654836110, api_et=1654821660.000000000, api_lt=1654836060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821660.000000000, search_lt=1654836060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22128107, total_slices=1143095, decompressed_slices=408979, duration.command.search.index=8685, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59443, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850179, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:41:18.602, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654836000_40220', total_run_time=15.07, event_count=0, result_count=0, available_count=0, scan_count=22136422, drop_count=0, exec_time=1654836049, api_et=1654821600.000000000, api_lt=1654836000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821600.000000000, search_lt=1654836000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22136422, total_slices=1141410, decompressed_slices=409173, duration.command.search.index=8776, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59054, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850494, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:40:20.833, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835940_40197', total_run_time=13.66, event_count=0, result_count=0, available_count=0, scan_count=22142382, drop_count=0, exec_time=1654835989, api_et=1654821540.000000000, api_lt=1654835940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821540.000000000, search_lt=1654835940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22142382, total_slices=1139483, decompressed_slices=409260, duration.command.search.index=8130, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59264, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848492, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:39:05.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835880_40180', total_run_time=12.84, event_count=0, result_count=0, available_count=0, scan_count=22151700, drop_count=0, exec_time=1654835929, api_et=1654821480.000000000, api_lt=1654835880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821480.000000000, search_lt=1654835880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22151700, total_slices=1137628, decompressed_slices=409378, duration.command.search.index=8276, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59009, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:38:46.599, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835820_40166', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=22157168, drop_count=0, exec_time=1654835870, api_et=1654821420.000000000, api_lt=1654835820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821420.000000000, search_lt=1654835820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22157168, total_slices=1135821, decompressed_slices=409512, duration.command.search.index=7924, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58856, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11846526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:37:18.928, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835760_40151', total_run_time=13.16, event_count=0, result_count=0, available_count=0, scan_count=22168020, drop_count=0, exec_time=1654835810, api_et=1654821360.000000000, api_lt=1654835760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821360.000000000, search_lt=1654835760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2609", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22168020, total_slices=1133879, decompressed_slices=409659, duration.command.search.index=8066, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59315, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848558, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:36:18.515, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835700_40141', total_run_time=13.06, event_count=0, result_count=0, available_count=0, scan_count=22176575, drop_count=0, exec_time=1654835750, api_et=1654821300.000000000, api_lt=1654835700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821300.000000000, search_lt=1654835700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2901", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22176575, total_slices=1132151, decompressed_slices=409831, duration.command.search.index=8257, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59437, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:35:22.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835640_40119', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=22188564, drop_count=0, exec_time=1654835690, api_et=1654821240.000000000, api_lt=1654835640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821240.000000000, search_lt=1654835640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2767", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22188564, total_slices=1130329, decompressed_slices=410022, duration.command.search.index=8620, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59440, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11849013, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:34:18.834, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654835580_40069', total_run_time=38.03, event_count=0, result_count=0, available_count=0, scan_count=41991898, drop_count=0, exec_time=1654835605, api_et=1654831980.000000000, api_lt=1654835580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654831980.000000000, search_lt=1654835607.202317000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3686", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0744f8e6c9b0d70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1852, eliminated_buckets=132, considered_events=41991898, total_slices=14504935, decompressed_slices=4236046, duration.command.search.index=14994, invocations.command.search.index.bucketcache.hit=1852, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232159, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:34:18.732, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835580_40083', total_run_time=17.64, event_count=0, result_count=0, available_count=0, scan_count=22200371, drop_count=0, exec_time=1654835630, api_et=1654821180.000000000, api_lt=1654835580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821180.000000000, search_lt=1654835580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22200371, total_slices=1128467, decompressed_slices=410152, duration.command.search.index=10950, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75699, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848923, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:33:20.603, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835520_40046', total_run_time=16.04, event_count=0, result_count=0, available_count=0, scan_count=22212487, drop_count=0, exec_time=1654835569, api_et=1654821120.000000000, api_lt=1654835520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821120.000000000, search_lt=1654835520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22212487, total_slices=1126623, decompressed_slices=410324, duration.command.search.index=9797, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65692, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850543, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:32:18.691, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835460_40016', total_run_time=14.67, event_count=0, result_count=0, available_count=0, scan_count=22222321, drop_count=0, exec_time=1654835509, api_et=1654821060.000000000, api_lt=1654835460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821060.000000000, search_lt=1654835460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2821", has_error_msg=true, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22222321, total_slices=1124862, decompressed_slices=410434, duration.command.search.index=9657, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62905, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850904, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:31:19.064, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835400_39987', total_run_time=18.41, event_count=0, result_count=0, available_count=0, scan_count=22236011, drop_count=0, exec_time=1654835449, api_et=1654821000.000000000, api_lt=1654835400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821000.000000000, search_lt=1654835400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3198", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22236011, total_slices=1122880, decompressed_slices=410550, duration.command.search.index=11036, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71052, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11850385, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:30:18.654, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835340_39957', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=22244404, drop_count=0, exec_time=1654835390, api_et=1654820940.000000000, api_lt=1654835340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820940.000000000, search_lt=1654835340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22244404, total_slices=1120732, decompressed_slices=410657, duration.command.search.index=8402, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60209, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11846688, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:29:20.864, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835280_39944', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=22255288, drop_count=0, exec_time=1654835329, api_et=1654820880.000000000, api_lt=1654835280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820880.000000000, search_lt=1654835280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2586", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22255288, total_slices=1119452, decompressed_slices=410894, duration.command.search.index=8528, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58093, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847254, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:28:32.963, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835220_39929', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=22268640, drop_count=0, exec_time=1654835269, api_et=1654820820.000000000, api_lt=1654835220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820820.000000000, search_lt=1654835220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22268640, total_slices=1117580, decompressed_slices=411169, duration.command.search.index=8395, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59566, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11848519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:27:18.545, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835160_39911', total_run_time=20.49, event_count=0, result_count=0, available_count=0, scan_count=22283184, drop_count=0, exec_time=1654835210, api_et=1654820760.000000000, api_lt=1654835160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820760.000000000, search_lt=1654835160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22283184, total_slices=1115763, decompressed_slices=411411, duration.command.search.index=8680, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58150, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11851029, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:26:18.783, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835100_39894', total_run_time=13.80, event_count=0, result_count=0, available_count=0, scan_count=22298970, drop_count=0, exec_time=1654835149, api_et=1654820700.000000000, api_lt=1654835100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820700.000000000, search_lt=1654835100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22298970, total_slices=1113953, decompressed_slices=411626, duration.command.search.index=8502, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58567, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11853378, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:25:19.720, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654835040_39881', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=22314610, drop_count=0, exec_time=1654835090, api_et=1654820640.000000000, api_lt=1654835040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820640.000000000, search_lt=1654835040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2813", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22314610, total_slices=1112260, decompressed_slices=411914, duration.command.search.index=8949, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60109, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11854932, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:24:05.364, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834980_39862', total_run_time=13.31, event_count=0, result_count=0, available_count=0, scan_count=22334236, drop_count=0, exec_time=1654835029, api_et=1654820580.000000000, api_lt=1654834980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820580.000000000, search_lt=1654834980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22334236, total_slices=1110374, decompressed_slices=412156, duration.command.search.index=8704, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58868, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11856846, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:23:50.263, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834920_39829', total_run_time=14.40, event_count=0, result_count=0, available_count=0, scan_count=22351184, drop_count=0, exec_time=1654834969, api_et=1654820520.000000000, api_lt=1654834920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820520.000000000, search_lt=1654834920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2810", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22351184, total_slices=1108583, decompressed_slices=412286, duration.command.search.index=8649, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59860, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11858349, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:22:19.312, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834860_39813', total_run_time=14.49, event_count=0, result_count=0, available_count=0, scan_count=22369249, drop_count=0, exec_time=1654834910, api_et=1654820460.000000000, api_lt=1654834860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820460.000000000, search_lt=1654834860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3312", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22369249, total_slices=1106853, decompressed_slices=412574, duration.command.search.index=8729, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61076, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11863500, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:21:19.063, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834800_39783', total_run_time=14.59, event_count=0, result_count=0, available_count=0, scan_count=22384593, drop_count=0, exec_time=1654834849, api_et=1654820400.000000000, api_lt=1654834800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820400.000000000, search_lt=1654834800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3289", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22384593, total_slices=1105161, decompressed_slices=412852, duration.command.search.index=8820, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60476, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11865339, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:20:19.123, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834740_39760', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=22399728, drop_count=0, exec_time=1654834789, api_et=1654820340.000000000, api_lt=1654834740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820340.000000000, search_lt=1654834740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22399728, total_slices=1103241, decompressed_slices=412959, duration.command.search.index=8693, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58955, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11866349, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:19:10.903, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834680_39735', total_run_time=17.54, event_count=0, result_count=0, available_count=0, scan_count=22415080, drop_count=0, exec_time=1654834729, api_et=1654820280.000000000, api_lt=1654834680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820280.000000000, search_lt=1654834680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2762", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22415080, total_slices=1101452, decompressed_slices=413094, duration.command.search.index=10221, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71591, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11868470, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:18:55.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834620_39714', total_run_time=15.19, event_count=0, result_count=0, available_count=0, scan_count=22431032, drop_count=0, exec_time=1654834670, api_et=1654820220.000000000, api_lt=1654834620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820220.000000000, search_lt=1654834620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22431032, total_slices=1099594, decompressed_slices=413404, duration.command.search.index=9048, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61149, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11871292, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:17:18.824, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834560_39691', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=22449373, drop_count=0, exec_time=1654834609, api_et=1654820160.000000000, api_lt=1654834560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820160.000000000, search_lt=1654834560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22449373, total_slices=1097914, decompressed_slices=413608, duration.command.search.index=8652, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60071, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11873093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:16:48.772, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654834560_39685', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654834571, api_et=1654830360.000000000, api_lt=1654833960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654830960.000000000, search_lt=1654834577.938175000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="8600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_246d2a88f28e8ece", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1060, eliminated_buckets=378, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=612, invocations.command.search.index.bucketcache.hit=1060, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:16:18.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834500_39673', total_run_time=19.07, event_count=0, result_count=0, available_count=0, scan_count=22466064, drop_count=0, exec_time=1654834549, api_et=1654820100.000000000, api_lt=1654834500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820100.000000000, search_lt=1654834500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2543", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22466064, total_slices=1096071, decompressed_slices=413824, duration.command.search.index=8565, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62730, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11875629, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:15:18.752, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834440_39654', total_run_time=23.64, event_count=0, result_count=0, available_count=0, scan_count=22484251, drop_count=0, exec_time=1654834489, api_et=1654820040.000000000, api_lt=1654834440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820040.000000000, search_lt=1654834440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2638", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22484251, total_slices=1094362, decompressed_slices=414027, duration.command.search.index=8379, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62048, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11877086, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:14:40.221, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654834440_39641', total_run_time=5.47, event_count=0, result_count=0, available_count=0, scan_count=17619, drop_count=0, exec_time=1654834462, api_et=1654830840.000000000, api_lt=1654834440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654830840.000000000, search_lt=1654834464.844086000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=288, considered_events=17752, total_slices=520560, decompressed_slices=3255, duration.command.search.index=984, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5841, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=115, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=134, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=350, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=78, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=180, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 04:14:40.043, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834380_39631', total_run_time=34.67, event_count=0, result_count=0, available_count=0, scan_count=22502206, drop_count=0, exec_time=1654834429, api_et=1654819980.000000000, api_lt=1654834380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819980.000000000, search_lt=1654834380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2855", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22502206, total_slices=1092571, decompressed_slices=414197, duration.command.search.index=9372, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93949, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11880314, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:14:23.052, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834320_39604', total_run_time=23.03, event_count=0, result_count=0, available_count=0, scan_count=22520576, drop_count=0, exec_time=1654834369, api_et=1654819920.000000000, api_lt=1654834320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819920.000000000, search_lt=1654834320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3224", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22520576, total_slices=1090759, decompressed_slices=414426, duration.command.search.index=8493, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65370, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11883019, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:12:30.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834260_39585', total_run_time=21.23, event_count=0, result_count=0, available_count=0, scan_count=22536584, drop_count=0, exec_time=1654834309, api_et=1654819860.000000000, api_lt=1654834260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819860.000000000, search_lt=1654834260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2988", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22536584, total_slices=1089007, decompressed_slices=414712, duration.command.search.index=8590, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63731, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11884703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:11:30.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834200_39561', total_run_time=32.52, event_count=0, result_count=0, available_count=0, scan_count=22552426, drop_count=0, exec_time=1654834250, api_et=1654819800.000000000, api_lt=1654834200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819800.000000000, search_lt=1654834200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22552426, total_slices=1087300, decompressed_slices=414893, duration.command.search.index=9272, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68237, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11885851, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:11:20.324, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654834260_39569', total_run_time=5.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654834265, api_et=1654830660.000000000, api_lt=1654834260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654830660.000000000, search_lt=1654834266.859901000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_00b8774a8d82d442", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:11:00.589, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654834020_39509', total_run_time=19.38, event_count=1288, result_count=66, available_count=0, scan_count=393606, drop_count=0, exec_time=1654834080, api_et=1654830420.000000000, api_lt=1654834020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654830420.000000000, search_lt=1654834081.894847000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=195, considered_events=398235, total_slices=635180, decompressed_slices=117699, duration.command.search.index=3648, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32533, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=321147, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35559, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 04:11:00.555, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834080_39523', total_run_time=28.20, event_count=0, result_count=0, available_count=0, scan_count=22587444, drop_count=0, exec_time=1654834129, api_et=1654819680.000000000, api_lt=1654834080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819680.000000000, search_lt=1654834080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22587444, total_slices=1083634, decompressed_slices=415141, duration.command.search.index=9017, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67309, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11889605, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:10:59.789, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834020_39506', total_run_time=33.42, event_count=0, result_count=0, available_count=0, scan_count=22600646, drop_count=0, exec_time=1654834069, api_et=1654819620.000000000, api_lt=1654834020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819620.000000000, search_lt=1654834020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22600646, total_slices=1081782, decompressed_slices=415374, duration.command.search.index=8801, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72249, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11888554, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:10:59.599, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654834140_39539', total_run_time=32.51, event_count=0, result_count=0, available_count=0, scan_count=22570724, drop_count=0, exec_time=1654834190, api_et=1654819740.000000000, api_lt=1654834140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819740.000000000, search_lt=1654834140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22570724, total_slices=1085457, decompressed_slices=415063, duration.command.search.index=8585, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72725, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11887691, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:10:59.487, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654834140_39531', total_run_time=19.29, event_count=0, result_count=0, available_count=0, scan_count=2297925, drop_count=0, exec_time=1654834145, api_et=1654829940.000000000, api_lt=1654833540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654829940.000000000, search_lt=1654833540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3058", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_15809b3c42487b9c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=796, eliminated_buckets=374, considered_events=2297925, total_slices=843995, decompressed_slices=96845, duration.command.search.index=1237, invocations.command.search.index.bucketcache.hit=795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20521, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=53, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:07:44.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833960_39486', total_run_time=29.18, event_count=0, result_count=0, available_count=0, scan_count=22620228, drop_count=0, exec_time=1654834010, api_et=1654819560.000000000, api_lt=1654833960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819560.000000000, search_lt=1654833960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22620228, total_slices=1080086, decompressed_slices=415626, duration.command.search.index=9069, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71022, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11891242, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:07:44.157, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654834020_39501', total_run_time=9.54, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654834046, api_et=1654830420.000000000, api_lt=1654834020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654830420.000000000, search_lt=1654834048.003087000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2906", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8ecea382e091388e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=195, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=847, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 04:06:43.472, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833900_39471', total_run_time=28.88, event_count=0, result_count=0, available_count=0, scan_count=22643451, drop_count=0, exec_time=1654833950, api_et=1654819500.000000000, api_lt=1654833900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819500.000000000, search_lt=1654833900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22643451, total_slices=1078449, decompressed_slices=415818, duration.command.search.index=9171, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74564, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11894609, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:06:12.999, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833780_39411', total_run_time=44.93, event_count=0, result_count=0, available_count=0, scan_count=22679204, drop_count=0, exec_time=1654833829, api_et=1654819380.000000000, api_lt=1654833780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819380.000000000, search_lt=1654833780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22679204, total_slices=1100452, decompressed_slices=416264, duration.command.search.index=11637, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86133, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899747, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:06:12.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833720_39364', total_run_time=34.66, event_count=0, result_count=0, available_count=0, scan_count=22699437, drop_count=0, exec_time=1654833769, api_et=1654819320.000000000, api_lt=1654833720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819320.000000000, search_lt=1654833720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22699437, total_slices=1098650, decompressed_slices=416534, duration.command.search.index=11705, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85299, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11903776, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:06:12.276, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833840_39453', total_run_time=30.58, event_count=0, result_count=0, available_count=0, scan_count=22660917, drop_count=0, exec_time=1654833889, api_et=1654819440.000000000, api_lt=1654833840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819440.000000000, search_lt=1654833840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=22660917, total_slices=1076420, decompressed_slices=416021, duration.command.search.index=10278, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81704, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11897302, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:02:26.580, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833660_39334', total_run_time=31.86, event_count=0, result_count=0, available_count=0, scan_count=22718245, drop_count=0, exec_time=1654833709, api_et=1654819260.000000000, api_lt=1654833660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819260.000000000, search_lt=1654833660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22718245, total_slices=1096923, decompressed_slices=416911, duration.command.search.index=10624, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76491, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11907589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 04:01:26.517, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654833600_39302', total_run_time=19.92, event_count=0, result_count=0, available_count=0, scan_count=22721991, drop_count=0, exec_time=1654833650, api_et=1654819200.000000000, api_lt=1654833600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819200.000000000, search_lt=1654833600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22721991, total_slices=1095233, decompressed_slices=416870, duration.command.search.index=11369, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79185, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11896606, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 03:44:52.424, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654832580_39003', total_run_time=30.48, event_count=0, result_count=0, available_count=0, scan_count=4352, drop_count=0, exec_time=1654832618, api_et=1654828980.000000000, api_lt=1654832580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654828980.000000000, search_lt=1654832620.147230000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c882953e45a05d4d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=4352, total_slices=902106, decompressed_slices=1449, duration.command.search.index=1308, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5179, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 03:35:14.153, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654831980_38793', total_run_time=35.53, event_count=0, result_count=0, available_count=0, scan_count=42089053, drop_count=0, exec_time=1654832005, api_et=1654828380.000000000, api_lt=1654831980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654828380.000000000, search_lt=1654832007.805657000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_37e43189e698811d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1861, eliminated_buckets=132, considered_events=42089053, total_slices=14447537, decompressed_slices=4228645, duration.command.search.index=14728, invocations.command.search.index.bucketcache.hit=1861, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230883, invocations.command.search.rawdata.bucketcache.hit=300, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 03:16:52.441, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654830960_38449', total_run_time=25.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654830970, api_et=1654826760.000000000, api_lt=1654830360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654827360.000000000, search_lt=1654830972.251154000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3368", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b921fd208796a487", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1061, eliminated_buckets=377, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=932, invocations.command.search.index.bucketcache.hit=1061, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 03:14:52.412, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654830840_38408', total_run_time=6.64, event_count=0, result_count=0, available_count=0, scan_count=16510, drop_count=0, exec_time=1654830863, api_et=1654827240.000000000, api_lt=1654830840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654827240.000000000, search_lt=1654830865.530228000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2871", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=283, considered_events=16970, total_slices=444496, decompressed_slices=3329, duration.command.search.index=1019, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5972, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=37, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=183, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=424, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=331, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=13, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 03:11:22.457, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654830660_38342', total_run_time=5.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654830664, api_et=1654827060.000000000, api_lt=1654830660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654827060.000000000, search_lt=1654830666.550140000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_20686a6a291d56b7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=62, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 03:10:11.923, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654830540_38308', total_run_time=20.15, event_count=0, result_count=0, available_count=0, scan_count=3549046, drop_count=0, exec_time=1654830545, api_et=1654826340.000000000, api_lt=1654829940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654826340.000000000, search_lt=1654829940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3160", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_059d666270452451", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=801, eliminated_buckets=377, considered_events=3549046, total_slices=976281, decompressed_slices=166881, duration.command.search.index=1552, invocations.command.search.index.bucketcache.hit=798, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28099, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=64, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 03:10:11.058, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654830420_38290', total_run_time=13.97, event_count=1272, result_count=60, available_count=0, scan_count=397718, drop_count=0, exec_time=1654830480, api_et=1654826820.000000000, api_lt=1654830420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654826820.000000000, search_lt=1654830482.058967000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2965", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=194, considered_events=404821, total_slices=586781, decompressed_slices=106491, duration.command.search.index=3352, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28906, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=321658, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36025, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 03:07:45.313, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654830420_38285', total_run_time=6.01, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654830446, api_et=1654826820.000000000, api_lt=1654830420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654826820.000000000, search_lt=1654830448.466197000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3001", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dbfd4fc7ef2f4178", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=194, considered_events=1, total_slices=13249, decompressed_slices=0, duration.command.search.index=834, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=144, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:44:12.166, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654828980_37788', total_run_time=27.25, event_count=0, result_count=0, available_count=0, scan_count=3563, drop_count=0, exec_time=1654829018, api_et=1654825380.000000000, api_lt=1654828980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654825380.000000000, search_lt=1654829020.093663000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_937d6eb0135de32d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=3563, total_slices=781725, decompressed_slices=1273, duration.command.search.index=1133, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5074, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:38:47.530, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654828380_37580', total_run_time=37.71, event_count=0, result_count=0, available_count=0, scan_count=42121553, drop_count=0, exec_time=1654828405, api_et=1654824780.000000000, api_lt=1654828380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654824780.000000000, search_lt=1654828407.028003000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8dd8aebf22537b41", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1867, eliminated_buckets=132, considered_events=42121553, total_slices=14517599, decompressed_slices=4271061, duration.command.search.index=14730, invocations.command.search.index.bucketcache.hit=1867, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=235463, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:16:30.419, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654827360_37233', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654827370, api_et=1654823160.000000000, api_lt=1654826760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654823760.000000000, search_lt=1654827372.089505000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3338", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b38147b1540056b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=373, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1311, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:14:30.548, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654827240_37193', total_run_time=6.00, event_count=0, result_count=0, available_count=0, scan_count=14287, drop_count=0, exec_time=1654827263, api_et=1654823640.000000000, api_lt=1654827240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654823640.000000000, search_lt=1654827265.807315000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2915", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=281, considered_events=14413, total_slices=368236, decompressed_slices=3067, duration.command.search.index=1055, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5790, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=206, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=661, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=136, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=200, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 02:11:30.613, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654827060_37127', total_run_time=6.36, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654827064, api_et=1654823460.000000000, api_lt=1654827060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654823460.000000000, search_lt=1654827066.960979000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3259", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e080ca23da2fabe4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=103, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:09:30.704, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654826940_37096', total_run_time=20.90, event_count=0, result_count=0, available_count=0, scan_count=4023086, drop_count=0, exec_time=1654826945, api_et=1654822740.000000000, api_lt=1654826340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654822740.000000000, search_lt=1654826340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c84b7c571ccf4bc2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=367, considered_events=4023086, total_slices=1028708, decompressed_slices=185133, duration.command.search.index=1866, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32479, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=67, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 02:08:30.654, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654826820_37076', total_run_time=29.70, event_count=2223, result_count=111, available_count=0, scan_count=474130, drop_count=0, exec_time=1654826880, api_et=1654823220.000000000, api_lt=1654826820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654823220.000000000, search_lt=1654826882.635392000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2892", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=195, considered_events=479704, total_slices=484909, decompressed_slices=107850, duration.command.search.index=4577, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38000, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=387064, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42383, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 02:07:37.120, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654826820_37071', total_run_time=7.10, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654826846, api_et=1654823220.000000000, api_lt=1654826820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654823220.000000000, search_lt=1654826848.810973000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7727bcfc067089f1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=195, considered_events=2, total_slices=7847, decompressed_slices=2, duration.command.search.index=889, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=251, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:44:53.349, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654825380_36605', total_run_time=21.71, event_count=0, result_count=0, available_count=0, scan_count=4209, drop_count=0, exec_time=1654825418, api_et=1654821780.000000000, api_lt=1654825380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821780.000000000, search_lt=1654825420.070428000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3028", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_741a58d02888fb7a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=4209, total_slices=729637, decompressed_slices=1413, duration.command.search.index=1068, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4808, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:39:37.071, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654824780_36400', total_run_time=252.87, event_count=0, result_count=0, available_count=0, scan_count=42035441, drop_count=0, exec_time=1654824805, api_et=1654821180.000000000, api_lt=1654824780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654821180.000000000, search_lt=1654824807.279820000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3897", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_094c2bc0a139f73d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1869, eliminated_buckets=132, considered_events=42035441, total_slices=14389089, decompressed_slices=4229952, duration.command.search.index=20571, invocations.command.search.index.bucketcache.hit=1867, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=371465, invocations.command.search.rawdata.bucketcache.hit=296, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:17:05.516, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654823760_36063', total_run_time=45.05, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654823770, api_et=1654819560.000000000, api_lt=1654823160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820160.000000000, search_lt=1654823772.657228000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3378", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_138585ffec7fb72b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1056, eliminated_buckets=374, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1609, invocations.command.search.index.bucketcache.hit=1056, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:14:35.558, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654823640_36023', total_run_time=5.95, event_count=0, result_count=0, available_count=0, scan_count=20780, drop_count=0, exec_time=1654823663, api_et=1654820040.000000000, api_lt=1654823640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654820040.000000000, search_lt=1654823665.226355000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=285, considered_events=21167, total_slices=388043, decompressed_slices=3771, duration.command.search.index=1278, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5915, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=257, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=976, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=164, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=287, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 01:11:29.447, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654823460_35957', total_run_time=6.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654823464, api_et=1654819860.000000000, api_lt=1654823460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819860.000000000, search_lt=1654823467.106124000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3195", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d96fe77ee61d08b9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=46, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:11:08.621, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654823220_35913', total_run_time=16.49, event_count=2016, result_count=114, available_count=0, scan_count=501724, drop_count=0, exec_time=1654823284, api_et=1654819620.000000000, api_lt=1654823220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819620.000000000, search_lt=1654823286.410678000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=200, considered_events=509069, total_slices=517064, decompressed_slices=117036, duration.command.search.index=3767, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33619, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=10, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=409072, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 01:11:08.345, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654823340_35926', total_run_time=22.07, event_count=0, result_count=0, available_count=0, scan_count=3844037, drop_count=0, exec_time=1654823345, api_et=1654819140.000000000, api_lt=1654822740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819140.000000000, search_lt=1654822740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3048", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_12d1c597010e1947", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=796, eliminated_buckets=370, considered_events=3844037, total_slices=1000172, decompressed_slices=184164, duration.command.search.index=1639, invocations.command.search.index.bucketcache.hit=795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30654, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=104, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:07:59.838, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654823220_35902', total_run_time=5.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654823246, api_et=1654819620.000000000, api_lt=1654823220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654819620.000000000, search_lt=1654823248.101682000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c905b3e89be731b7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=837, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 01:00:22.542, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822740_35711', total_run_time=18.37, event_count=0, result_count=0, available_count=0, scan_count=27181145, drop_count=0, exec_time=1654822790, api_et=1654808340.000000000, api_lt=1654822740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808340.000000000, search_lt=1654822740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=27181145, total_slices=1268316, decompressed_slices=459130, duration.command.search.index=9558, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87124, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12830208, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:59:22.603, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822680_35698', total_run_time=15.50, event_count=0, result_count=0, available_count=0, scan_count=27206511, drop_count=0, exec_time=1654822729, api_et=1654808280.000000000, api_lt=1654822680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808280.000000000, search_lt=1654822680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=27206511, total_slices=1266279, decompressed_slices=459445, duration.command.search.index=9941, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71333, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12836144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:58:43.159, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822620_35682', total_run_time=19.56, event_count=0, result_count=0, available_count=0, scan_count=27230655, drop_count=0, exec_time=1654822669, api_et=1654808220.000000000, api_lt=1654822620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808220.000000000, search_lt=1654822620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=27230655, total_slices=1264389, decompressed_slices=459623, duration.command.search.index=11035, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77415, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12843681, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:57:22.739, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822560_35663', total_run_time=15.19, event_count=0, result_count=0, available_count=0, scan_count=27254169, drop_count=0, exec_time=1654822610, api_et=1654808160.000000000, api_lt=1654822560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808160.000000000, search_lt=1654822560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=27254169, total_slices=1262456, decompressed_slices=460066, duration.command.search.index=9932, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71752, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12848227, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:56:22.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822500_35652', total_run_time=15.77, event_count=0, result_count=0, available_count=0, scan_count=27281033, drop_count=0, exec_time=1654822549, api_et=1654808100.000000000, api_lt=1654822500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808100.000000000, search_lt=1654822500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=27281033, total_slices=1259989, decompressed_slices=460414, duration.command.search.index=9886, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71340, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12853625, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:55:14.580, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822440_35634', total_run_time=23.25, event_count=0, result_count=0, available_count=0, scan_count=27305888, drop_count=0, exec_time=1654822490, api_et=1654808040.000000000, api_lt=1654822440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808040.000000000, search_lt=1654822440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3087", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=27305888, total_slices=1284568, decompressed_slices=460808, duration.command.search.index=10136, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72395, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12861037, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:54:58.092, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822380_35617', total_run_time=25.70, event_count=0, result_count=0, available_count=0, scan_count=27331409, drop_count=0, exec_time=1654822429, api_et=1654807980.000000000, api_lt=1654822380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807980.000000000, search_lt=1654822380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=1, considered_events=27331409, total_slices=1282549, decompressed_slices=461138, duration.command.search.index=10165, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71851, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12867095, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:54:57.636, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822320_35592', total_run_time=41.19, event_count=0, result_count=0, available_count=0, scan_count=27357466, drop_count=0, exec_time=1654822369, api_et=1654807920.000000000, api_lt=1654822320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807920.000000000, search_lt=1654822320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=1, considered_events=27357466, total_slices=1306410, decompressed_slices=461486, duration.command.search.index=11464, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87535, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12873646, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:52:43.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822260_35574', total_run_time=37.18, event_count=0, result_count=0, available_count=0, scan_count=27381052, drop_count=0, exec_time=1654822309, api_et=1654807860.000000000, api_lt=1654822260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807860.000000000, search_lt=1654822260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=1, considered_events=27381052, total_slices=1304463, decompressed_slices=461726, duration.command.search.index=10258, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81503, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12878736, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:51:34.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822200_35550', total_run_time=33.55, event_count=0, result_count=0, available_count=0, scan_count=27404377, drop_count=0, exec_time=1654822249, api_et=1654807800.000000000, api_lt=1654822200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807800.000000000, search_lt=1654822200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=1, considered_events=27404377, total_slices=1302631, decompressed_slices=462002, duration.command.search.index=13196, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96762, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12885940, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:51:14.910, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822140_35528', total_run_time=43.82, event_count=0, result_count=0, available_count=0, scan_count=27428988, drop_count=0, exec_time=1654822189, api_et=1654807740.000000000, api_lt=1654822140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807740.000000000, search_lt=1654822140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=1, considered_events=27428988, total_slices=1300629, decompressed_slices=462231, duration.command.search.index=11595, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97108, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12891650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:51:13.998, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822080_35505', total_run_time=36.04, event_count=0, result_count=0, available_count=0, scan_count=27449681, drop_count=0, exec_time=1654822129, api_et=1654807680.000000000, api_lt=1654822080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807680.000000000, search_lt=1654822080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=27449681, total_slices=1324838, decompressed_slices=462453, duration.command.search.index=12198, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99364, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12895740, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:51:13.954, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654822020_35489', total_run_time=35.06, event_count=0, result_count=0, available_count=0, scan_count=27472271, drop_count=0, exec_time=1654822070, api_et=1654807620.000000000, api_lt=1654822020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807620.000000000, search_lt=1654822020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2894", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=27472271, total_slices=1322780, decompressed_slices=462608, duration.command.search.index=10462, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85049, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12902330, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:47:40.022, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821960_35466', total_run_time=30.51, event_count=0, result_count=0, available_count=0, scan_count=27492160, drop_count=0, exec_time=1654822009, api_et=1654807560.000000000, api_lt=1654821960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807560.000000000, search_lt=1654821960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2704", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=27492160, total_slices=1320871, decompressed_slices=462877, duration.command.search.index=10936, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81091, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12905632, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:46:38.096, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821900_35447', total_run_time=25.59, event_count=0, result_count=0, available_count=0, scan_count=27514165, drop_count=0, exec_time=1654821949, api_et=1654807500.000000000, api_lt=1654821900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807500.000000000, search_lt=1654821900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=1, considered_events=27514165, total_slices=1344618, decompressed_slices=463179, duration.command.search.index=10423, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76149, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12910939, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:45:34.479, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821780_35398', total_run_time=21.47, event_count=0, result_count=0, available_count=0, scan_count=27555703, drop_count=0, exec_time=1654821829, api_et=1654807380.000000000, api_lt=1654821780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807380.000000000, search_lt=1654821780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3363", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27555703, total_slices=1340768, decompressed_slices=463801, duration.command.search.index=9961, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75301, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12921850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:45:33.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821840_35424', total_run_time=28.78, event_count=0, result_count=0, available_count=0, scan_count=27537150, drop_count=0, exec_time=1654821889, api_et=1654807440.000000000, api_lt=1654821840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807440.000000000, search_lt=1654821840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27537150, total_slices=1342695, decompressed_slices=463480, duration.command.search.index=10313, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75270, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12916458, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:45:33.737, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654821780_35395', total_run_time=28.47, event_count=0, result_count=0, available_count=0, scan_count=3483, drop_count=0, exec_time=1654821817, api_et=1654818180.000000000, api_lt=1654821780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654818180.000000000, search_lt=1654821819.589260000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2336", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_50bdea1fe4297eb4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=3483, total_slices=645785, decompressed_slices=1152, duration.command.search.index=1286, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4807, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:45:32.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821720_35369', total_run_time=33.63, event_count=0, result_count=0, available_count=0, scan_count=27575155, drop_count=0, exec_time=1654821770, api_et=1654807320.000000000, api_lt=1654821720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807320.000000000, search_lt=1654821720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27575155, total_slices=1338899, decompressed_slices=463997, duration.command.search.index=11391, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84849, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12926871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:42:57.547, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821660_35345', total_run_time=39.68, event_count=0, result_count=0, available_count=0, scan_count=27593926, drop_count=0, exec_time=1654821709, api_et=1654807260.000000000, api_lt=1654821660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807260.000000000, search_lt=1654821660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2940", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27593926, total_slices=1337018, decompressed_slices=464175, duration.command.search.index=11987, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100536, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12931078, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:41:30.577, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821600_35322', total_run_time=26.10, event_count=0, result_count=0, available_count=0, scan_count=27616828, drop_count=0, exec_time=1654821649, api_et=1654807200.000000000, api_lt=1654821600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807200.000000000, search_lt=1654821600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27616828, total_slices=1335130, decompressed_slices=464394, duration.command.search.index=11775, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86045, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12935728, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:40:27.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821540_35300', total_run_time=34.18, event_count=0, result_count=0, available_count=0, scan_count=27636688, drop_count=0, exec_time=1654821591, api_et=1654807140.000000000, api_lt=1654821540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807140.000000000, search_lt=1654821540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27636688, total_slices=1332946, decompressed_slices=464719, duration.command.search.index=11470, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106844, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12942931, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:39:45.545, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821480_35283', total_run_time=40.87, event_count=0, result_count=0, available_count=0, scan_count=27654901, drop_count=0, exec_time=1654821529, api_et=1654807080.000000000, api_lt=1654821480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807080.000000000, search_lt=1654821480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27654901, total_slices=1331022, decompressed_slices=464931, duration.command.search.index=11732, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84192, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12948213, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:39:44.414, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821360_35254', total_run_time=62.60, event_count=0, result_count=0, available_count=0, scan_count=27696345, drop_count=0, exec_time=1654821410, api_et=1654806960.000000000, api_lt=1654821360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806960.000000000, search_lt=1654821360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27696345, total_slices=1327152, decompressed_slices=465602, duration.command.search.index=11058, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95054, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12956326, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:36:08.474, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821180_35189', total_run_time=127.71, event_count=0, result_count=0, available_count=0, scan_count=27752555, drop_count=0, exec_time=1654821229, api_et=1654806780.000000000, api_lt=1654821180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806780.000000000, search_lt=1654821180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=27752555, total_slices=1321128, decompressed_slices=466551, duration.command.search.index=18313, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127146, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12971139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:34:37.379, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654821180_35177', total_run_time=43.04, event_count=0, result_count=0, available_count=0, scan_count=42224592, drop_count=0, exec_time=1654821206, api_et=1654817580.000000000, api_lt=1654821180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654817580.000000000, search_lt=1654821208.689939000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_506a7abdb1cbea5b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1875, eliminated_buckets=132, considered_events=42224592, total_slices=14593682, decompressed_slices=4219150, duration.command.search.index=15413, invocations.command.search.index.bucketcache.hit=1874, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=240070, invocations.command.search.rawdata.bucketcache.hit=307, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:33:38.581, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654821060_35123', total_run_time=102.81, event_count=0, result_count=0, available_count=0, scan_count=27786957, drop_count=0, exec_time=1654821109, api_et=1654806660.000000000, api_lt=1654821060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806660.000000000, search_lt=1654821060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=27786957, total_slices=1317188, decompressed_slices=467031, duration.command.search.index=15796, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=128868, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12978567, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:31:39.207, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820940_35068', total_run_time=93.28, event_count=0, result_count=0, available_count=0, scan_count=27820998, drop_count=0, exec_time=1654820989, api_et=1654806540.000000000, api_lt=1654820940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806540.000000000, search_lt=1654820940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2796", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=27820998, total_slices=1339176, decompressed_slices=467569, duration.command.search.index=14395, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116679, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12990697, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:29:07.368, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820820_35040', total_run_time=63.04, event_count=0, result_count=0, available_count=0, scan_count=27853493, drop_count=0, exec_time=1654820869, api_et=1654806420.000000000, api_lt=1654820820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806420.000000000, search_lt=1654820820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=27853493, total_slices=1335269, decompressed_slices=467953, duration.command.search.index=13488, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102648, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12999004, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:27:25.819, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820700_35006', total_run_time=82.63, event_count=0, result_count=0, available_count=0, scan_count=27882931, drop_count=0, exec_time=1654820750, api_et=1654806300.000000000, api_lt=1654820700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806300.000000000, search_lt=1654820700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3286", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=27882931, total_slices=1331068, decompressed_slices=468282, duration.command.search.index=13992, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108072, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13004287, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:27:04.373, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820580_34974', total_run_time=109.42, event_count=0, result_count=0, available_count=0, scan_count=27904545, drop_count=0, exec_time=1654820630, api_et=1654806180.000000000, api_lt=1654820580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806180.000000000, search_lt=1654820580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2949", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=27904545, total_slices=1327184, decompressed_slices=468577, duration.command.search.index=17115, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113885, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13010120, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:23:46.256, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654820400_34902', total_run_time=140.75, event_count=13014562, result_count=15, available_count=0, scan_count=27934801, drop_count=0, exec_time=1654820458, api_et=1654806000.000000000, api_lt=1654820400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806000.000000000, search_lt=1654820400.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=27934801, total_slices=1347649, decompressed_slices=468881, duration.command.search.index=20901, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=144013, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13014562, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:23:17.360, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820280_34848', total_run_time=94.37, event_count=0, result_count=0, available_count=0, scan_count=27964924, drop_count=0, exec_time=1654820329, api_et=1654805880.000000000, api_lt=1654820280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805880.000000000, search_lt=1654820280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=27964924, total_slices=1343155, decompressed_slices=469295, duration.command.search.index=18542, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=140718, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13022253, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:23:16.119, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654819200_34574', total_run_time=831.50, event_count=2696, result_count=2695, available_count=0, scan_count=1756846, drop_count=0, exec_time=1654819488, api_et=1654732800.000000000, api_lt=1654819200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654819200.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64588", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_d2dbb8860698c6f9", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4771, considered_events=1756846, total_slices=14094216, decompressed_slices=1089764, duration.command.search.index=2743115, invocations.command.search.index.bucketcache.hit=26851, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3588, duration.command.search.index.bucketcache.miss=1716699, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=519849, invocations.command.search.rawdata.bucketcache.hit=19930, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1665, duration.command.search.rawdata.bucketcache.miss=1280692, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-10-2022 00:23:14.303, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820160_34803', total_run_time=83.96, event_count=0, result_count=0, available_count=0, scan_count=27986184, drop_count=0, exec_time=1654820210, api_et=1654805760.000000000, api_lt=1654820160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805760.000000000, search_lt=1654820160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=27986184, total_slices=1364923, decompressed_slices=469569, duration.command.search.index=14274, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127846, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13029026, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:23:14.012, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820400_34899', total_run_time=126.20, event_count=0, result_count=0, available_count=0, scan_count=27934804, drop_count=0, exec_time=1654820449, api_et=1654806000.000000000, api_lt=1654820400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806000.000000000, search_lt=1654820400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=27934804, total_slices=1347303, decompressed_slices=468882, duration.command.search.index=18540, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=142922, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13014562, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:16:30.002, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654820040_34768', total_run_time=90.23, event_count=0, result_count=0, available_count=0, scan_count=28014084, drop_count=0, exec_time=1654820089, api_et=1654805640.000000000, api_lt=1654820040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805640.000000000, search_lt=1654820040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=28014084, total_slices=1361389, decompressed_slices=469977, duration.command.search.index=15061, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126887, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13036877, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:16:29.882, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654820160_34797', total_run_time=9.06, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654820170, api_et=1654815960.000000000, api_lt=1654819560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654816560.000000000, search_lt=1654820173.167538000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c2c7c5fc83904116", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1056, eliminated_buckets=372, considered_events=1, total_slices=10286, decompressed_slices=1, duration.command.search.index=1046, invocations.command.search.index.bucketcache.hit=1056, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=194, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:14:59.890, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654820040_34755', total_run_time=22.28, event_count=0, result_count=0, available_count=0, scan_count=14756, drop_count=0, exec_time=1654820063, api_et=1654816440.000000000, api_lt=1654820040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654816440.000000000, search_lt=1654820065.548597000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2933", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=290, considered_events=14829, total_slices=416284, decompressed_slices=3691, duration.command.search.index=2980, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=8807, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=70, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=315, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=857, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=199, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=220, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-10-2022 00:13:59.982, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654819860_34700', total_run_time=122.05, event_count=0, result_count=0, available_count=0, scan_count=28053578, drop_count=0, exec_time=1654819909, api_et=1654805460.000000000, api_lt=1654819860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805460.000000000, search_lt=1654819860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2976", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=28053578, total_slices=1355090, decompressed_slices=470510, duration.command.search.index=17224, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=146424, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13051793, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:12:00.097, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654819740_34653', total_run_time=116.23, event_count=0, result_count=0, available_count=0, scan_count=28078282, drop_count=0, exec_time=1654819789, api_et=1654805340.000000000, api_lt=1654819740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805340.000000000, search_lt=1654819740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=28078282, total_slices=1351287, decompressed_slices=470922, duration.command.search.index=23046, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=205666, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13060618, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:11:30.130, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654819860_34683', total_run_time=5.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654819864, api_et=1654816260.000000000, api_lt=1654819860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654816260.000000000, search_lt=1654819866.545013000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_be9805c3c5ef3263", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:10:27.250, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654819620_34620', total_run_time=32.95, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654819646, api_et=1654816020.000000000, api_lt=1654819620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654816020.000000000, search_lt=1654819648.764755000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2917", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0aa53be0ab947526", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2088, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:10:26.817, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654819620_34627', total_run_time=45.41, event_count=1172, result_count=60, available_count=0, scan_count=444036, drop_count=0, exec_time=1654819680, api_et=1654816020.000000000, api_lt=1654819620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654816020.000000000, search_lt=1654819682.170815000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2919", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=197, considered_events=453614, total_slices=563838, decompressed_slices=106406, duration.command.search.index=7900, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70721, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=360717, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33451, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-10-2022 00:10:26.779, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654819560_34604', total_run_time=117.90, event_count=0, result_count=0, available_count=0, scan_count=28125574, drop_count=0, exec_time=1654819610, api_et=1654805160.000000000, api_lt=1654819560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805160.000000000, search_lt=1654819560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3317", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=0, considered_events=28125574, total_slices=1370928, decompressed_slices=471545, duration.command.search.index=23841, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=219587, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13073405, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:10:26.487, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654819740_34645', total_run_time=54.76, event_count=0, result_count=0, available_count=0, scan_count=3800706, drop_count=0, exec_time=1654819745, api_et=1654815540.000000000, api_lt=1654819140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654815540.000000000, search_lt=1654819140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3090", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aae214b448e88fc6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=813, eliminated_buckets=387, considered_events=3800706, total_slices=1008759, decompressed_slices=181680, duration.command.search.index=2166, invocations.command.search.index.bucketcache.hit=810, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36370, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=135, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-10-2022 00:06:21.535, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654819320_34480', total_run_time=190.53, event_count=0, result_count=0, available_count=0, scan_count=28179916, drop_count=0, exec_time=1654819369, api_et=1654804920.000000000, api_lt=1654819320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654804920.000000000, search_lt=1654819320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2874", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=28179916, total_slices=1362873, decompressed_slices=472636, duration.command.search.index=48692, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=427496, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13090463, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-10-2022 00:01:54.621, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654819200_34409', total_run_time=63.11, event_count=0, result_count=100, available_count=0, scan_count=0, drop_count=0, exec_time=1654819232, api_et=1654817400.000000000, api_lt=1654819200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654817400.000000000, search_lt=1654819200.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63828", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-10-2022 00:01:54.582, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654819200_34413', total_run_time=61.86, event_count=0, result_count=0, available_count=0, scan_count=28222514, drop_count=0, exec_time=1654819249, api_et=1654804800.000000000, api_lt=1654819200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654804800.000000000, search_lt=1654819200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=153, eliminated_buckets=1, considered_events=28222514, total_slices=1384088, decompressed_slices=473458, duration.command.search.index=19574, invocations.command.search.index.bucketcache.hit=153, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=202532, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13109415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 23:44:25.395, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654818180_34120', total_run_time=21.07, event_count=0, result_count=0, available_count=0, scan_count=4099, drop_count=0, exec_time=1654818218, api_et=1654814580.000000000, api_lt=1654818180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654814580.000000000, search_lt=1654818220.036889000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cacca2a416ec3134", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=4099, total_slices=611108, decompressed_slices=1312, duration.command.search.index=1118, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4849, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 23:37:56.385, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654817580_33913', total_run_time=39.64, event_count=0, result_count=0, available_count=0, scan_count=41785473, drop_count=0, exec_time=1654817605, api_et=1654813980.000000000, api_lt=1654817580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654813980.000000000, search_lt=1654817607.730318000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b447924be76b16e4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1855, eliminated_buckets=132, considered_events=41785473, total_slices=14276074, decompressed_slices=4170858, duration.command.search.index=15171, invocations.command.search.index.bucketcache.hit=1854, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230527, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 23:16:29.433, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654816560_33575', total_run_time=8.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654816570, api_et=1654812360.000000000, api_lt=1654815960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654812960.000000000, search_lt=1654816572.678322000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3200", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b10c106ca389d77", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1059, eliminated_buckets=372, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=740, invocations.command.search.index.bucketcache.hit=1059, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 23:14:29.720, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654816440_33534', total_run_time=5.18, event_count=0, result_count=0, available_count=0, scan_count=23896, drop_count=0, exec_time=1654816463, api_et=1654812840.000000000, api_lt=1654816440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654812840.000000000, search_lt=1654816464.898902000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2826", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=290, considered_events=24573, total_slices=608964, decompressed_slices=5143, duration.command.search.index=1374, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6467, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=58, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=413, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1123, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=271, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=362, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 23:11:29.786, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654816260_33469', total_run_time=4.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654816264, api_et=1654812660.000000000, api_lt=1654816260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654812660.000000000, search_lt=1654816266.467516000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ddf82df23d13c036", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=55, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=35, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 23:09:50.239, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654816140_33438', total_run_time=17.93, event_count=0, result_count=0, available_count=0, scan_count=3955191, drop_count=0, exec_time=1654816145, api_et=1654811940.000000000, api_lt=1654815540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654811940.000000000, search_lt=1654815540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3309", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_633be143a61c03f4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=795, eliminated_buckets=371, considered_events=3955191, total_slices=1076129, decompressed_slices=194499, duration.command.search.index=1725, invocations.command.search.index.bucketcache.hit=793, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32160, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=96, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 23:09:50.063, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654816020_33425', total_run_time=18.15, event_count=1277, result_count=68, available_count=0, scan_count=495548, drop_count=0, exec_time=1654816084, api_et=1654812420.000000000, api_lt=1654816020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654812420.000000000, search_lt=1654816086.324012000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=200, considered_events=504931, total_slices=686610, decompressed_slices=129348, duration.command.search.index=3706, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37061, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=402758, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35413, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 23:07:41.446, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654816020_33415', total_run_time=6.47, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654816046, api_et=1654812420.000000000, api_lt=1654816020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654812420.000000000, search_lt=1654816047.949348000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c9737bdf4bbe8132", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=200, considered_events=1, total_slices=13637, decompressed_slices=1, duration.command.search.index=983, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=191, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:44:13.556, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654814580_32952', total_run_time=22.08, event_count=0, result_count=0, available_count=0, scan_count=4465, drop_count=0, exec_time=1654814618, api_et=1654810980.000000000, api_lt=1654814580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654810980.000000000, search_lt=1654814620.765360000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_af0ec8c94bf62bff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=4465, total_slices=736241, decompressed_slices=1397, duration.command.search.index=1110, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5040, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:34:06.836, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654813980_32742', total_run_time=35.82, event_count=0, result_count=0, available_count=0, scan_count=41874986, drop_count=0, exec_time=1654814005, api_et=1654810380.000000000, api_lt=1654813980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654810380.000000000, search_lt=1654814007.081471000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3960", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d591639e2b584d6a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1878, eliminated_buckets=132, considered_events=41874986, total_slices=14345156, decompressed_slices=4159703, duration.command.search.index=14961, invocations.command.search.index.bucketcache.hit=1877, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227457, invocations.command.search.rawdata.bucketcache.hit=308, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:16:32.639, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654812960_32395', total_run_time=11.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654812971, api_et=1654808760.000000000, api_lt=1654812360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654809360.000000000, search_lt=1654812972.828962000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3149", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_303757ed9a82bf31", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1064, eliminated_buckets=374, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=812, invocations.command.search.index.bucketcache.hit=1064, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:14:32.909, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654812840_32355', total_run_time=5.37, event_count=0, result_count=0, available_count=0, scan_count=20104, drop_count=0, exec_time=1654812863, api_et=1654809240.000000000, api_lt=1654812840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654809240.000000000, search_lt=1654812865.338277000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=288, considered_events=20374, total_slices=780114, decompressed_slices=5177, duration.command.search.index=1315, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6224, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=57, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=482, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1297, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=302, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=331, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 22:11:32.760, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654812660_32290', total_run_time=4.71, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654812665, api_et=1654809060.000000000, api_lt=1654812660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654809060.000000000, search_lt=1654812667.057934000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bdde1766a42db6a8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=54, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=39, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:10:33.150, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654812540_32258', total_run_time=17.94, event_count=0, result_count=0, available_count=0, scan_count=4009805, drop_count=0, exec_time=1654812545, api_et=1654808340.000000000, api_lt=1654811940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808340.000000000, search_lt=1654811940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3391", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_98e86f49374c6e15", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=811, eliminated_buckets=385, considered_events=4009805, total_slices=1054323, decompressed_slices=192811, duration.command.search.index=1909, invocations.command.search.index.bucketcache.hit=811, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38086, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 22:10:33.094, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654812420_32239', total_run_time=17.24, event_count=1335, result_count=67, available_count=0, scan_count=532195, drop_count=0, exec_time=1654812480, api_et=1654808820.000000000, api_lt=1654812420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808820.000000000, search_lt=1654812482.567816000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2939", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=197, considered_events=540357, total_slices=690073, decompressed_slices=146487, duration.command.search.index=4043, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38540, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=430585, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38224, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 22:07:58.410, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654812420_32234', total_run_time=5.46, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654812446, api_et=1654808820.000000000, api_lt=1654812420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654808820.000000000, search_lt=1654812447.930076000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2864", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9807652d8956663d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=196, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=974, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:44:53.513, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654810980_31772', total_run_time=28.93, event_count=0, result_count=0, available_count=0, scan_count=3703, drop_count=0, exec_time=1654811018, api_et=1654807380.000000000, api_lt=1654810980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654807380.000000000, search_lt=1654811020.190989000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3095", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1b63b685192939e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3703, total_slices=755639, decompressed_slices=1230, duration.command.search.index=1381, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6359, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:34:26.939, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654810380_31569', total_run_time=44.61, event_count=0, result_count=0, available_count=0, scan_count=41863736, drop_count=0, exec_time=1654810406, api_et=1654806780.000000000, api_lt=1654810380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654806780.000000000, search_lt=1654810408.146016000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ae6ac42aa369d480", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1863, eliminated_buckets=132, considered_events=41863736, total_slices=14161946, decompressed_slices=4158263, duration.command.search.index=16838, invocations.command.search.index.bucketcache.hit=1863, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=249351, invocations.command.search.rawdata.bucketcache.hit=291, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:16:27.097, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654809360_31227', total_run_time=16.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654809370, api_et=1654805160.000000000, api_lt=1654808760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805760.000000000, search_lt=1654809372.356024000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3405", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_47622240c86db5d3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1068, eliminated_buckets=374, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2098, invocations.command.search.index.bucketcache.hit=1068, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:14:56.918, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654809240_31187', total_run_time=4.57, event_count=0, result_count=0, available_count=0, scan_count=18291, drop_count=0, exec_time=1654809263, api_et=1654805640.000000000, api_lt=1654809240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805640.000000000, search_lt=1654809265.431606000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=287, considered_events=19068, total_slices=853933, decompressed_slices=5096, duration.command.search.index=1429, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6289, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=80, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=526, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1385, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=340, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=421, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 21:12:07.758, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654808940_31086', total_run_time=19.62, event_count=0, result_count=0, available_count=0, scan_count=4166880, drop_count=0, exec_time=1654808946, api_et=1654804740.000000000, api_lt=1654808340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654804740.000000000, search_lt=1654808340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3037", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_19d475aea61d4d38", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=813, eliminated_buckets=381, considered_events=4166880, total_slices=1151049, decompressed_slices=195096, duration.command.search.index=1768, invocations.command.search.index.bucketcache.hit=808, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31629, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:12:07.682, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654809060_31122', total_run_time=4.81, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654809064, api_et=1654805460.000000000, api_lt=1654809060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805460.000000000, search_lt=1654809066.808744000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2802", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8304480c65e10173", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=31, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:12:07.394, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654808820_31073', total_run_time=18.23, event_count=1303, result_count=61, available_count=0, scan_count=542280, drop_count=0, exec_time=1654808884, api_et=1654805220.000000000, api_lt=1654808820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805220.000000000, search_lt=1654808886.434003000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2857", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=548515, total_slices=655458, decompressed_slices=148003, duration.command.search.index=4477, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40285, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=438758, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39690, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 21:07:43.428, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654808820_31063', total_run_time=7.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654808846, api_et=1654805220.000000000, api_lt=1654808820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654805220.000000000, search_lt=1654808847.964430000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a69a212626dbb234", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=996, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 21:00:17.494, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808340_30872', total_run_time=19.85, event_count=0, result_count=0, available_count=0, scan_count=29634907, drop_count=0, exec_time=1654808390, api_et=1654793940.000000000, api_lt=1654808340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793940.000000000, search_lt=1654808340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29634907, total_slices=1594494, decompressed_slices=487759, duration.command.search.index=10329, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91948, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13668374, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:59:09.795, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808280_30859', total_run_time=16.73, event_count=0, result_count=0, available_count=0, scan_count=29632462, drop_count=0, exec_time=1654808329, api_et=1654793880.000000000, api_lt=1654808280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793880.000000000, search_lt=1654808280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=29632462, total_slices=1592056, decompressed_slices=487626, duration.command.search.index=10269, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74161, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13668739, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:58:54.689, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808220_30844', total_run_time=17.72, event_count=0, result_count=0, available_count=0, scan_count=29635961, drop_count=0, exec_time=1654808269, api_et=1654793820.000000000, api_lt=1654808220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793820.000000000, search_lt=1654808220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29635961, total_slices=1615757, decompressed_slices=487517, duration.command.search.index=10398, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77020, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13669134, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:58:54.616, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808100_30816', total_run_time=17.11, event_count=0, result_count=0, available_count=0, scan_count=29636848, drop_count=0, exec_time=1654808149, api_et=1654793700.000000000, api_lt=1654808100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793700.000000000, search_lt=1654808100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3275", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29636848, total_slices=1611096, decompressed_slices=487104, duration.command.search.index=10532, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74973, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13669185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:58:54.542, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808160_30827', total_run_time=16.06, event_count=0, result_count=0, available_count=0, scan_count=29639065, drop_count=0, exec_time=1654808209, api_et=1654793760.000000000, api_lt=1654808160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793760.000000000, search_lt=1654808160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29639065, total_slices=1613252, decompressed_slices=487257, duration.command.search.index=9908, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73792, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13670497, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:55:28.227, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654808040_30801', total_run_time=19.52, event_count=0, result_count=0, available_count=0, scan_count=29637578, drop_count=0, exec_time=1654808090, api_et=1654793640.000000000, api_lt=1654808040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793640.000000000, search_lt=1654808040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29637578, total_slices=1608760, decompressed_slices=486902, duration.command.search.index=10239, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71293, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13669598, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:54:35.352, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807860_30744', total_run_time=18.18, event_count=0, result_count=0, available_count=0, scan_count=29638810, drop_count=0, exec_time=1654807909, api_et=1654793460.000000000, api_lt=1654807860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793460.000000000, search_lt=1654807860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29638810, total_slices=1601485, decompressed_slices=486637, duration.command.search.index=11869, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86052, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13674190, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:54:34.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807920_30761', total_run_time=17.50, event_count=0, result_count=0, available_count=0, scan_count=29637355, drop_count=0, exec_time=1654807969, api_et=1654793520.000000000, api_lt=1654807920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793520.000000000, search_lt=1654807920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29637355, total_slices=1604075, decompressed_slices=486715, duration.command.search.index=10886, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78458, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13672965, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:54:34.534, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807980_30784', total_run_time=15.64, event_count=0, result_count=0, available_count=0, scan_count=29637358, drop_count=0, exec_time=1654808029, api_et=1654793580.000000000, api_lt=1654807980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793580.000000000, search_lt=1654807980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29637358, total_slices=1606395, decompressed_slices=486788, duration.command.search.index=10378, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70703, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13671662, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:54:34.459, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807800_30720', total_run_time=20.52, event_count=0, result_count=0, available_count=0, scan_count=29638024, drop_count=0, exec_time=1654807850, api_et=1654793400.000000000, api_lt=1654807800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793400.000000000, search_lt=1654807800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=29638024, total_slices=1599491, decompressed_slices=486534, duration.command.search.index=11991, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88520, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13673645, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:50:34.392, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807740_30697', total_run_time=22.58, event_count=0, result_count=0, available_count=0, scan_count=29638879, drop_count=0, exec_time=1654807790, api_et=1654793340.000000000, api_lt=1654807740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793340.000000000, search_lt=1654807740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29638879, total_slices=1623426, decompressed_slices=486419, duration.command.search.index=11242, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103033, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13676467, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:49:26.900, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807680_30676', total_run_time=31.98, event_count=0, result_count=0, available_count=0, scan_count=29642250, drop_count=0, exec_time=1654807730, api_et=1654793280.000000000, api_lt=1654807680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793280.000000000, search_lt=1654807680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29642250, total_slices=1621026, decompressed_slices=486459, duration.command.search.index=12830, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100263, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13679556, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:49:11.031, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807560_30639', total_run_time=16.24, event_count=0, result_count=0, available_count=0, scan_count=29649478, drop_count=0, exec_time=1654807609, api_et=1654793160.000000000, api_lt=1654807560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793160.000000000, search_lt=1654807560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29649478, total_slices=1642386, decompressed_slices=486298, duration.command.search.index=10065, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73622, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13687474, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:49:10.999, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807500_30621', total_run_time=16.06, event_count=0, result_count=0, available_count=0, scan_count=29648293, drop_count=0, exec_time=1654807550, api_et=1654793100.000000000, api_lt=1654807500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793100.000000000, search_lt=1654807500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29648293, total_slices=1640163, decompressed_slices=486114, duration.command.search.index=10197, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76267, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13687111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:49:10.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807620_30660', total_run_time=15.67, event_count=0, result_count=0, available_count=0, scan_count=29647307, drop_count=0, exec_time=1654807669, api_et=1654793220.000000000, api_lt=1654807620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793220.000000000, search_lt=1654807620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=155, eliminated_buckets=0, considered_events=29647307, total_slices=1618767, decompressed_slices=486383, duration.command.search.index=10218, invocations.command.search.index.bucketcache.hit=155, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73175, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13684396, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:45:25.887, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807440_30599', total_run_time=17.13, event_count=0, result_count=0, available_count=0, scan_count=29649650, drop_count=0, exec_time=1654807489, api_et=1654793040.000000000, api_lt=1654807440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793040.000000000, search_lt=1654807440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3327", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29649650, total_slices=1637950, decompressed_slices=486111, duration.command.search.index=10345, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73607, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13689212, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:44:32.682, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807380_30578', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=29652428, drop_count=0, exec_time=1654807429, api_et=1654792980.000000000, api_lt=1654807380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792980.000000000, search_lt=1654807380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3098", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29652428, total_slices=1635588, decompressed_slices=486035, duration.command.search.index=9854, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72744, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13690822, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:44:31.487, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654807380_30575', total_run_time=20.53, event_count=0, result_count=0, available_count=0, scan_count=4252, drop_count=0, exec_time=1654807418, api_et=1654803780.000000000, api_lt=1654807380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654803780.000000000, search_lt=1654807420.775340000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e1268c11744d6283", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=4252, total_slices=847886, decompressed_slices=1426, duration.command.search.index=1133, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4871, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:44:30.930, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807200_30503', total_run_time=34.38, event_count=0, result_count=0, available_count=0, scan_count=29663712, drop_count=0, exec_time=1654807249, api_et=1654792800.000000000, api_lt=1654807200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792800.000000000, search_lt=1654807200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29663712, total_slices=1655256, decompressed_slices=485720, duration.command.search.index=12886, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93480, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13695469, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:44:30.447, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807320_30551', total_run_time=24.25, event_count=0, result_count=0, available_count=0, scan_count=29653381, drop_count=0, exec_time=1654807369, api_et=1654792920.000000000, api_lt=1654807320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792920.000000000, search_lt=1654807320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2966", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29653381, total_slices=1633493, decompressed_slices=485991, duration.command.search.index=10744, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80718, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13691928, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:44:30.288, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807260_30528', total_run_time=21.62, event_count=0, result_count=0, available_count=0, scan_count=29659877, drop_count=0, exec_time=1654807310, api_et=1654792860.000000000, api_lt=1654807260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792860.000000000, search_lt=1654807260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2954", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29659877, total_slices=1657195, decompressed_slices=485904, duration.command.search.index=10566, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79770, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13693045, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:44:29.669, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807140_30481', total_run_time=18.24, event_count=0, result_count=0, available_count=0, scan_count=29668955, drop_count=0, exec_time=1654807189, api_et=1654792740.000000000, api_lt=1654807140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792740.000000000, search_lt=1654807140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29668955, total_slices=1652623, decompressed_slices=485604, duration.command.search.index=10167, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78544, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13697454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:39:08.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807080_30464', total_run_time=14.75, event_count=0, result_count=0, available_count=0, scan_count=29681071, drop_count=0, exec_time=1654807129, api_et=1654792680.000000000, api_lt=1654807080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792680.000000000, search_lt=1654807080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=0, considered_events=29681071, total_slices=1650326, decompressed_slices=485515, duration.command.search.index=10067, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70466, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13707775, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:46.193, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806900_30426', total_run_time=15.98, event_count=0, result_count=0, available_count=0, scan_count=29705718, drop_count=0, exec_time=1654806950, api_et=1654792500.000000000, api_lt=1654806900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792500.000000000, search_lt=1654806900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29705718, total_slices=1695662, decompressed_slices=485204, duration.command.search.index=10365, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74501, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13732961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:45.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806840_30405', total_run_time=21.92, event_count=0, result_count=0, available_count=0, scan_count=29709810, drop_count=0, exec_time=1654806889, api_et=1654792440.000000000, api_lt=1654806840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792440.000000000, search_lt=1654806840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29709810, total_slices=1693190, decompressed_slices=485042, duration.command.search.index=12473, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86072, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13738797, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:44.772, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806720_30332', total_run_time=23.54, event_count=0, result_count=0, available_count=0, scan_count=29720184, drop_count=0, exec_time=1654806769, api_et=1654792320.000000000, api_lt=1654806720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792320.000000000, search_lt=1654806720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=1, considered_events=29720184, total_slices=1714441, decompressed_slices=484857, duration.command.search.index=12215, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89082, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13754866, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:44.224, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806780_30369', total_run_time=23.55, event_count=0, result_count=0, available_count=0, scan_count=29716216, drop_count=0, exec_time=1654806830, api_et=1654792380.000000000, api_lt=1654806780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792380.000000000, search_lt=1654806780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=1, considered_events=29716216, total_slices=1716785, decompressed_slices=484979, duration.command.search.index=12268, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85643, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13748434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:43.633, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654807020_30451', total_run_time=15.15, event_count=0, result_count=0, available_count=0, scan_count=29694036, drop_count=0, exec_time=1654807070, api_et=1654792620.000000000, api_lt=1654807020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792620.000000000, search_lt=1654807020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29694036, total_slices=1700376, decompressed_slices=485463, duration.command.search.index=9951, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71934, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13720342, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:38:43.597, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654806780_30355', total_run_time=77.59, event_count=0, result_count=0, available_count=0, scan_count=41973228, drop_count=0, exec_time=1654806805, api_et=1654803180.000000000, api_lt=1654806780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654803180.000000000, search_lt=1654806807.192694000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_20c037a126344dcf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1856, eliminated_buckets=132, considered_events=41973228, total_slices=13974217, decompressed_slices=4182275, duration.command.search.index=22651, invocations.command.search.index.bucketcache.hit=1855, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=316662, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:38:43.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806960_30436', total_run_time=15.31, event_count=0, result_count=0, available_count=0, scan_count=29702009, drop_count=0, exec_time=1654807010, api_et=1654792560.000000000, api_lt=1654806960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792560.000000000, search_lt=1654806960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=0, considered_events=29702009, total_slices=1698132, decompressed_slices=485409, duration.command.search.index=9938, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73600, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13728599, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:32:12.605, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806660_30303', total_run_time=20.80, event_count=0, result_count=0, available_count=0, scan_count=29725657, drop_count=0, exec_time=1654806709, api_et=1654792260.000000000, api_lt=1654806660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792260.000000000, search_lt=1654806660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=1, considered_events=29725657, total_slices=1712117, decompressed_slices=484742, duration.command.search.index=12793, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94619, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13761208, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:31:42.559, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806600_30275', total_run_time=24.69, event_count=0, result_count=0, available_count=0, scan_count=29732693, drop_count=0, exec_time=1654806649, api_et=1654792200.000000000, api_lt=1654806600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792200.000000000, search_lt=1654806600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=159, eliminated_buckets=1, considered_events=29732693, total_slices=1735549, decompressed_slices=484630, duration.command.search.index=14393, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108998, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13765088, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:30:29.629, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806480_30233', total_run_time=15.23, event_count=0, result_count=0, available_count=0, scan_count=29747943, drop_count=0, exec_time=1654806529, api_et=1654792080.000000000, api_lt=1654806480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792080.000000000, search_lt=1654806480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=159, eliminated_buckets=1, considered_events=29747943, total_slices=1731107, decompressed_slices=484450, duration.command.search.index=10291, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73954, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13782598, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:30:29.231, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806540_30246', total_run_time=18.96, event_count=0, result_count=0, available_count=0, scan_count=29738774, drop_count=0, exec_time=1654806589, api_et=1654792140.000000000, api_lt=1654806540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792140.000000000, search_lt=1654806540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=159, eliminated_buckets=1, considered_events=29738774, total_slices=1733323, decompressed_slices=484559, duration.command.search.index=10113, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77431, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13770911, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:30:28.628, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806420_30219', total_run_time=15.19, event_count=0, result_count=0, available_count=0, scan_count=29751888, drop_count=0, exec_time=1654806469, api_et=1654792020.000000000, api_lt=1654806420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792020.000000000, search_lt=1654806420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=159, eliminated_buckets=1, considered_events=29751888, total_slices=1728850, decompressed_slices=484414, duration.command.search.index=10435, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74752, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13788236, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:27:19.313, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806360_30201', total_run_time=16.12, event_count=0, result_count=0, available_count=0, scan_count=29761204, drop_count=0, exec_time=1654806410, api_et=1654791960.000000000, api_lt=1654806360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791960.000000000, search_lt=1654806360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=159, eliminated_buckets=1, considered_events=29761204, total_slices=1726497, decompressed_slices=484238, duration.command.search.index=10105, invocations.command.search.index.bucketcache.hit=159, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74368, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13799126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:26:19.233, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806300_30185', total_run_time=15.71, event_count=0, result_count=0, available_count=0, scan_count=29774262, drop_count=0, exec_time=1654806349, api_et=1654791900.000000000, api_lt=1654806300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791900.000000000, search_lt=1654806300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=1, considered_events=29774262, total_slices=1724401, decompressed_slices=484217, duration.command.search.index=10302, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74203, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13809471, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:25:19.167, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806240_30171', total_run_time=18.72, event_count=0, result_count=0, available_count=0, scan_count=29776503, drop_count=0, exec_time=1654806289, api_et=1654791840.000000000, api_lt=1654806240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791840.000000000, search_lt=1654806240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=1, considered_events=29776503, total_slices=1722208, decompressed_slices=484217, duration.command.search.index=10833, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74240, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13812882, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:24:18.085, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806180_30153', total_run_time=17.38, event_count=0, result_count=0, available_count=0, scan_count=29788824, drop_count=0, exec_time=1654806229, api_et=1654791780.000000000, api_lt=1654806180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791780.000000000, search_lt=1654806180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=2, considered_events=29788824, total_slices=1719952, decompressed_slices=484089, duration.command.search.index=10948, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76297, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13825067, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:24:02.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806120_30121', total_run_time=18.57, event_count=0, result_count=0, available_count=0, scan_count=29795716, drop_count=0, exec_time=1654806170, api_et=1654791720.000000000, api_lt=1654806120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791720.000000000, search_lt=1654806120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3000", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29795716, total_slices=1717688, decompressed_slices=484124, duration.command.search.index=11027, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76615, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13832499, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:22:19.013, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806060_30105', total_run_time=16.14, event_count=0, result_count=0, available_count=0, scan_count=29807152, drop_count=0, exec_time=1654806109, api_et=1654791660.000000000, api_lt=1654806060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791660.000000000, search_lt=1654806060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29807152, total_slices=1715429, decompressed_slices=484047, duration.command.search.index=10370, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74684, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13841188, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:21:18.924, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654806000_30077', total_run_time=21.37, event_count=0, result_count=0, available_count=0, scan_count=29811878, drop_count=0, exec_time=1654806050, api_et=1654791600.000000000, api_lt=1654806000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791600.000000000, search_lt=1654806000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=156, eliminated_buckets=1, considered_events=29811878, total_slices=1712992, decompressed_slices=483853, duration.command.search.index=11002, invocations.command.search.index.bucketcache.hit=156, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77648, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13847038, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:20:19.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805940_30054', total_run_time=18.09, event_count=0, result_count=0, available_count=0, scan_count=29811143, drop_count=0, exec_time=1654805989, api_et=1654791540.000000000, api_lt=1654805940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791540.000000000, search_lt=1654805940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29811143, total_slices=1737468, decompressed_slices=483779, duration.command.search.index=10440, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80702, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13848199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:19:19.118, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805880_30028', total_run_time=17.17, event_count=0, result_count=0, available_count=0, scan_count=29815482, drop_count=0, exec_time=1654805930, api_et=1654791480.000000000, api_lt=1654805880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791480.000000000, search_lt=1654805880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29815482, total_slices=1735267, decompressed_slices=483583, duration.command.search.index=11082, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80933, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13854355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:18:18.965, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805820_30008', total_run_time=15.58, event_count=0, result_count=0, available_count=0, scan_count=29819997, drop_count=0, exec_time=1654805870, api_et=1654791420.000000000, api_lt=1654805820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791420.000000000, search_lt=1654805820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29819997, total_slices=1733016, decompressed_slices=483670, duration.command.search.index=10546, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72638, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13860348, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:17:18.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805760_29985', total_run_time=16.70, event_count=0, result_count=0, available_count=0, scan_count=29827533, drop_count=0, exec_time=1654805809, api_et=1654791360.000000000, api_lt=1654805760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791360.000000000, search_lt=1654805760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2579", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29827533, total_slices=1730889, decompressed_slices=483661, duration.command.search.index=10577, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77086, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13867974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:16:48.999, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654805760_29979', total_run_time=31.03, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654805771, api_et=1654801560.000000000, api_lt=1654805160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654802160.000000000, search_lt=1654805773.429666000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b7ab096781549524", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1066, eliminated_buckets=377, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1571, invocations.command.search.index.bucketcache.hit=1066, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:16:19.032, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805700_29968', total_run_time=17.49, event_count=0, result_count=0, available_count=0, scan_count=29831206, drop_count=0, exec_time=1654805750, api_et=1654791300.000000000, api_lt=1654805700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791300.000000000, search_lt=1654805700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3185", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29831206, total_slices=1728702, decompressed_slices=483572, duration.command.search.index=10522, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77036, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13872260, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:15:19.276, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805640_29949', total_run_time=15.83, event_count=0, result_count=0, available_count=0, scan_count=29828728, drop_count=0, exec_time=1654805689, api_et=1654791240.000000000, api_lt=1654805640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791240.000000000, search_lt=1654805640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29828728, total_slices=1726453, decompressed_slices=483322, duration.command.search.index=10293, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72706, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13874496, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:14:49.210, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654805640_29935', total_run_time=4.19, event_count=0, result_count=0, available_count=0, scan_count=16176, drop_count=0, exec_time=1654805663, api_et=1654802040.000000000, api_lt=1654805640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654802040.000000000, search_lt=1654805665.637589000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=286, considered_events=16463, total_slices=787119, decompressed_slices=5577, duration.command.search.index=1164, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6049, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=80, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=602, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1379, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=332, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=1070, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=15, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 20:14:18.923, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805580_29925', total_run_time=14.87, event_count=0, result_count=0, available_count=0, scan_count=29826881, drop_count=0, exec_time=1654805629, api_et=1654791180.000000000, api_lt=1654805580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791180.000000000, search_lt=1654805580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2595", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29826881, total_slices=1724146, decompressed_slices=483198, duration.command.search.index=9970, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74705, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13876182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:13:19.195, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805520_29899', total_run_time=16.19, event_count=0, result_count=0, available_count=0, scan_count=29826110, drop_count=0, exec_time=1654805570, api_et=1654791120.000000000, api_lt=1654805520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791120.000000000, search_lt=1654805520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=2, considered_events=29826110, total_slices=1721973, decompressed_slices=483113, duration.command.search.index=9895, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75959, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13878596, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:12:19.314, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805460_29881', total_run_time=16.27, event_count=0, result_count=0, available_count=0, scan_count=29827282, drop_count=0, exec_time=1654805509, api_et=1654791060.000000000, api_lt=1654805460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791060.000000000, search_lt=1654805460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3157", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=2, considered_events=29827282, total_slices=1745822, decompressed_slices=482951, duration.command.search.index=10655, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77710, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13882668, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:11:19.279, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654805460_29864', total_run_time=4.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654805465, api_et=1654801860.000000000, api_lt=1654805460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654801860.000000000, search_lt=1654805467.401852000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a20ef368f6865116", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=39, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:11:19.087, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805400_29856', total_run_time=17.99, event_count=0, result_count=0, available_count=0, scan_count=29830001, drop_count=0, exec_time=1654805450, api_et=1654791000.000000000, api_lt=1654805400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791000.000000000, search_lt=1654805400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=158, eliminated_buckets=2, considered_events=29830001, total_slices=1743606, decompressed_slices=482778, duration.command.search.index=10212, invocations.command.search.index.bucketcache.hit=158, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74200, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13888765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:10:19.663, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805280_29821', total_run_time=15.18, event_count=0, result_count=0, available_count=0, scan_count=29829577, drop_count=0, exec_time=1654805329, api_et=1654790880.000000000, api_lt=1654805280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790880.000000000, search_lt=1654805280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29829577, total_slices=1765126, decompressed_slices=482522, duration.command.search.index=10218, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72452, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13896805, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:10:19.447, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654805220_29808', total_run_time=17.63, event_count=1294, result_count=62, available_count=0, scan_count=557496, drop_count=0, exec_time=1654805280, api_et=1654801620.000000000, api_lt=1654805220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654801620.000000000, search_lt=1654805282.480806000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=197, considered_events=562763, total_slices=548630, decompressed_slices=135839, duration.command.search.index=5107, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=43308, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=446187, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40751, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 20:10:19.433, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805220_29805', total_run_time=22.70, event_count=0, result_count=0, available_count=0, scan_count=29829795, drop_count=0, exec_time=1654805270, api_et=1654790820.000000000, api_lt=1654805220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790820.000000000, search_lt=1654805220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29829795, total_slices=1762807, decompressed_slices=482398, duration.command.search.index=12767, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91661, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13902001, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:10:19.302, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654805340_29829', total_run_time=19.80, event_count=0, result_count=0, available_count=0, scan_count=4142532, drop_count=0, exec_time=1654805345, api_et=1654801140.000000000, api_lt=1654804740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654801140.000000000, search_lt=1654804740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3349", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_566818d497bb128c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=818, eliminated_buckets=392, considered_events=4142532, total_slices=1189688, decompressed_slices=191320, duration.command.search.index=1684, invocations.command.search.index.bucketcache.hit=816, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31415, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=108, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:10:18.864, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805340_29837', total_run_time=16.65, event_count=0, result_count=0, available_count=0, scan_count=29829127, drop_count=0, exec_time=1654805389, api_et=1654790940.000000000, api_lt=1654805340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790940.000000000, search_lt=1654805340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29829127, total_slices=1741429, decompressed_slices=482585, duration.command.search.index=9945, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78340, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13891660, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:07:43.540, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654805220_29800', total_run_time=4.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654805246, api_et=1654801620.000000000, api_lt=1654805220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654801620.000000000, search_lt=1654805248.766261000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1d0e9b5894755a4c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=856, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 20:07:13.585, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805160_29785', total_run_time=15.74, event_count=0, result_count=0, available_count=0, scan_count=29829345, drop_count=0, exec_time=1654805210, api_et=1654790760.000000000, api_lt=1654805160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790760.000000000, search_lt=1654805160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29829345, total_slices=1760559, decompressed_slices=482260, duration.command.search.index=10197, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73402, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13907151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:06:13.448, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805100_29771', total_run_time=17.98, event_count=0, result_count=0, available_count=0, scan_count=29833784, drop_count=0, exec_time=1654805150, api_et=1654790700.000000000, api_lt=1654805100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790700.000000000, search_lt=1654805100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29833784, total_slices=1758345, decompressed_slices=482046, duration.command.search.index=10265, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75717, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13912695, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:05:14.754, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654805040_29754', total_run_time=18.79, event_count=0, result_count=0, available_count=0, scan_count=29828697, drop_count=0, exec_time=1654805090, api_et=1654790640.000000000, api_lt=1654805040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790640.000000000, search_lt=1654805040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29828697, total_slices=1756055, decompressed_slices=481780, duration.command.search.index=11582, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86222, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13914828, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:05:13.934, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654804980_29713', total_run_time=19.76, event_count=0, result_count=0, available_count=0, scan_count=29826025, drop_count=0, exec_time=1654805029, api_et=1654790580.000000000, api_lt=1654804980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790580.000000000, search_lt=1654804980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29826025, total_slices=1753756, decompressed_slices=481660, duration.command.search.index=12211, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89318, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13917582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:05:13.459, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654804920_29668', total_run_time=20.76, event_count=0, result_count=0, available_count=0, scan_count=29825945, drop_count=0, exec_time=1654804969, api_et=1654790520.000000000, api_lt=1654804920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790520.000000000, search_lt=1654804920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29825945, total_slices=1751321, decompressed_slices=481343, duration.command.search.index=12968, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94814, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13922656, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:02:18.679, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654804860_29636', total_run_time=20.76, event_count=0, result_count=0, available_count=0, scan_count=29829633, drop_count=0, exec_time=1654804909, api_et=1654790460.000000000, api_lt=1654804860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790460.000000000, search_lt=1654804860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29829633, total_slices=1749043, decompressed_slices=481099, duration.command.search.index=12069, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95216, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13927586, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 20:01:18.705, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654804800_29598', total_run_time=26.23, event_count=0, result_count=0, available_count=0, scan_count=29827197, drop_count=0, exec_time=1654804849, api_et=1654790400.000000000, api_lt=1654804800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790400.000000000, search_lt=1654804800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=157, eliminated_buckets=1, considered_events=29827197, total_slices=1746734, decompressed_slices=480863, duration.command.search.index=12444, invocations.command.search.index.bucketcache.hit=157, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105343, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13929425, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 19:45:57.427, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654803780_29314', total_run_time=20.97, event_count=0, result_count=0, available_count=0, scan_count=3064, drop_count=0, exec_time=1654803818, api_et=1654800180.000000000, api_lt=1654803780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654800180.000000000, search_lt=1654803820.438130000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2908", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba7747466ea681cb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=3064, total_slices=1005416, decompressed_slices=965, duration.command.search.index=1132, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4896, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 19:34:32.221, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654803180_29097', total_run_time=53.69, event_count=0, result_count=0, available_count=0, scan_count=41705957, drop_count=0, exec_time=1654803205, api_et=1654799580.000000000, api_lt=1654803180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654799580.000000000, search_lt=1654803207.084723000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d16f8e3d648d0acb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1872, eliminated_buckets=132, considered_events=41705957, total_slices=14019760, decompressed_slices=4174808, duration.command.search.index=15029, invocations.command.search.index.bucketcache.hit=1871, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=253760, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 19:16:34.613, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654802160_28761', total_run_time=19.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654802170, api_et=1654797960.000000000, api_lt=1654801560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654798560.000000000, search_lt=1654802172.002805000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3476", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fffe3c930c70daad", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1064, eliminated_buckets=376, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=3528, invocations.command.search.index.bucketcache.hit=1064, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 19:14:34.512, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654802040_28721', total_run_time=5.26, event_count=0, result_count=0, available_count=0, scan_count=22457, drop_count=0, exec_time=1654802064, api_et=1654798440.000000000, api_lt=1654802040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654798440.000000000, search_lt=1654802065.960109000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2964", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=285, considered_events=23104, total_slices=680557, decompressed_slices=5673, duration.command.search.index=1358, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6335, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=72, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=563, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1339, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=312, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=1422, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 19:12:08.361, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654801620_28605', total_run_time=22.09, event_count=1409, result_count=71, available_count=0, scan_count=571668, drop_count=0, exec_time=1654801680, api_et=1654798020.000000000, api_lt=1654801620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654798020.000000000, search_lt=1654801682.030299000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=194, considered_events=578201, total_slices=493980, decompressed_slices=146055, duration.command.search.index=3948, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40483, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=450120, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=44529, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 19:12:05.262, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654801740_28623', total_run_time=19.67, event_count=0, result_count=0, available_count=0, scan_count=4262006, drop_count=0, exec_time=1654801745, api_et=1654797540.000000000, api_lt=1654801140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654797540.000000000, search_lt=1654801140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2a68d180520cd37c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=826, eliminated_buckets=404, considered_events=4262006, total_slices=1079083, decompressed_slices=198635, duration.command.search.index=1781, invocations.command.search.index.bucketcache.hit=821, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32548, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 19:12:05.076, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654801860_28655', total_run_time=5.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654801865, api_et=1654798260.000000000, api_lt=1654801860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654798260.000000000, search_lt=1654801867.371585000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3348", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9e01eae1ee25056", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=52, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=43, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 19:07:54.951, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654801620_28596', total_run_time=5.33, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654801646, api_et=1654798020.000000000, api_lt=1654801620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654798020.000000000, search_lt=1654801648.144044000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6f93f604a889139f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=194, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=888, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:44:03.328, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654800180_28123', total_run_time=22.85, event_count=0, result_count=0, available_count=0, scan_count=3895, drop_count=0, exec_time=1654800218, api_et=1654796580.000000000, api_lt=1654800180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654796580.000000000, search_lt=1654800220.220949000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2926", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_06043dd24f9ea712", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=3895, total_slices=1002567, decompressed_slices=1283, duration.command.search.index=1167, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4995, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:38:48.490, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654799580_27914', total_run_time=94.82, event_count=0, result_count=0, available_count=0, scan_count=41595364, drop_count=0, exec_time=1654799605, api_et=1654795980.000000000, api_lt=1654799580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654795980.000000000, search_lt=1654799607.566410000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b0a5de5897adea8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1877, eliminated_buckets=132, considered_events=41595364, total_slices=14237828, decompressed_slices=4144301, duration.command.search.index=17242, invocations.command.search.index.bucketcache.hit=1876, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=336134, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:16:50.398, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654798560_27563', total_run_time=12.26, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654798570, api_et=1654794360.000000000, api_lt=1654797960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654794960.000000000, search_lt=1654798572.695089000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3260", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba5eb69257c0b8c6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1069, eliminated_buckets=380, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1444, invocations.command.search.index.bucketcache.hit=1069, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:14:50.325, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654798440_27523', total_run_time=5.58, event_count=0, result_count=0, available_count=0, scan_count=20057, drop_count=0, exec_time=1654798462, api_et=1654794840.000000000, api_lt=1654798440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654794840.000000000, search_lt=1654798464.813132000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=299, considered_events=21131, total_slices=562910, decompressed_slices=6519, duration.command.search.index=1523, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6290, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=84, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=783, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1779, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=421, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=33, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=1317, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=32, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 18:11:21.421, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654798260_27456', total_run_time=5.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654798265, api_et=1654794660.000000000, api_lt=1654798260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654794660.000000000, search_lt=1654798267.502492000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3412", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f63b1b01f6b5c355", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=44, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:10:20.345, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654798140_27423', total_run_time=20.22, event_count=0, result_count=0, available_count=0, scan_count=3910555, drop_count=0, exec_time=1654798145, api_et=1654793940.000000000, api_lt=1654797540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654793940.000000000, search_lt=1654797540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d28af7ac1047b800", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=821, eliminated_buckets=399, considered_events=3910555, total_slices=1121372, decompressed_slices=184365, duration.command.search.index=1707, invocations.command.search.index.bucketcache.hit=818, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32563, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=155, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 18:10:20.213, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654798020_27403', total_run_time=21.90, event_count=1279, result_count=80, available_count=0, scan_count=588809, drop_count=0, exec_time=1654798080, api_et=1654794420.000000000, api_lt=1654798020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654794420.000000000, search_lt=1654798082.402056000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2955", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=195, considered_events=594679, total_slices=638127, decompressed_slices=148461, duration.command.search.index=4064, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41784, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=459826, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=45762, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 18:07:57.738, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654798020_27398', total_run_time=6.67, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654798046, api_et=1654794420.000000000, api_lt=1654798020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654794420.000000000, search_lt=1654798048.566180000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b420180589e42eeb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=195, considered_events=3, total_slices=2805, decompressed_slices=3, duration.command.search.index=985, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=473, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:45:39.907, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654796580_26935', total_run_time=21.39, event_count=0, result_count=0, available_count=0, scan_count=2917, drop_count=0, exec_time=1654796618, api_et=1654792980.000000000, api_lt=1654796580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792980.000000000, search_lt=1654796620.370111000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2919", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_83865e1022431be1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=2, considered_events=2917, total_slices=1054041, decompressed_slices=996, duration.command.search.index=1184, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4952, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:34:25.064, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654795980_26731', total_run_time=47.55, event_count=0, result_count=0, available_count=0, scan_count=41325201, drop_count=0, exec_time=1654796005, api_et=1654792380.000000000, api_lt=1654795980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654792380.000000000, search_lt=1654796007.194613000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_54370500d53e0428", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1851, eliminated_buckets=130, considered_events=41325201, total_slices=13952014, decompressed_slices=4111886, duration.command.search.index=14918, invocations.command.search.index.bucketcache.hit=1849, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=241192, invocations.command.search.rawdata.bucketcache.hit=269, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:16:54.684, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654794960_26394', total_run_time=17.38, event_count=0, result_count=0, available_count=0, scan_count=49, drop_count=0, exec_time=1654794971, api_et=1654790760.000000000, api_lt=1654794360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791360.000000000, search_lt=1654794973.396758000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3354", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f1632fcc28eb2b56", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1069, eliminated_buckets=378, considered_events=49, total_slices=19633, decompressed_slices=4, duration.command.search.index=1759, invocations.command.search.index.bucketcache.hit=1069, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=457, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:14:54.331, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654794840_26353', total_run_time=8.17, event_count=0, result_count=0, available_count=0, scan_count=21440, drop_count=0, exec_time=1654794863, api_et=1654791240.000000000, api_lt=1654794840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791240.000000000, search_lt=1654794865.905946000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3002", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=292, considered_events=22182, total_slices=457942, decompressed_slices=5601, duration.command.search.index=1730, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6412, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=90, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=512, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1391, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=328, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=21, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=984, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 17:11:15.059, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654794660_26277', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654794664, api_et=1654791060.000000000, api_lt=1654794660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654791060.000000000, search_lt=1654794666.930115000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3229", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ed94b289ab3b4e9e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:10:56.790, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654794540_26237', total_run_time=19.91, event_count=0, result_count=0, available_count=0, scan_count=4035038, drop_count=0, exec_time=1654794545, api_et=1654790340.000000000, api_lt=1654793940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790340.000000000, search_lt=1654793940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3059", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5406f11dfb0efb92", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=810, eliminated_buckets=390, considered_events=4035038, total_slices=1075267, decompressed_slices=191899, duration.command.search.index=2175, invocations.command.search.index.bucketcache.hit=808, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33710, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:10:56.777, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654794420_26219', total_run_time=25.38, event_count=1196, result_count=68, available_count=0, scan_count=556570, drop_count=0, exec_time=1654794480, api_et=1654790820.000000000, api_lt=1654794420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790820.000000000, search_lt=1654794482.295304000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2802", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=197, considered_events=563397, total_slices=685788, decompressed_slices=138248, duration.command.search.index=6523, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49023, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=7, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=429783, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=47486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 17:07:54.272, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654794420_26213', total_run_time=11.22, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654794446, api_et=1654790820.000000000, api_lt=1654794420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654790820.000000000, search_lt=1654794448.498007000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7e024b41282d6c9f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=197, considered_events=2, total_slices=13541, decompressed_slices=2, duration.command.search.index=1103, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=477, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 17:01:30.991, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793940_26025', total_run_time=20.74, event_count=0, result_count=0, available_count=0, scan_count=26809302, drop_count=0, exec_time=1654793990, api_et=1654779540.000000000, api_lt=1654793940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779540.000000000, search_lt=1654793940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=26809302, total_slices=1528545, decompressed_slices=425443, duration.command.search.index=9839, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70056, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13409645, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:59:05.045, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793880_26012', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=26786375, drop_count=0, exec_time=1654793929, api_et=1654779480.000000000, api_lt=1654793880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779480.000000000, search_lt=1654793880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=26786375, total_slices=1526511, decompressed_slices=425070, duration.command.search.index=10096, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65577, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13407599, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:58:43.008, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793820_25996', total_run_time=18.86, event_count=0, result_count=0, available_count=0, scan_count=26759070, drop_count=0, exec_time=1654793870, api_et=1654779420.000000000, api_lt=1654793820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779420.000000000, search_lt=1654793820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=26759070, total_slices=1524369, decompressed_slices=424785, duration.command.search.index=10822, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71158, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13404825, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:58:41.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793760_25977', total_run_time=16.65, event_count=0, result_count=0, available_count=0, scan_count=26732285, drop_count=0, exec_time=1654793809, api_et=1654779360.000000000, api_lt=1654793760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779360.000000000, search_lt=1654793760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2547", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=26732285, total_slices=1522281, decompressed_slices=424508, duration.command.search.index=9821, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65552, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13404015, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:58:40.674, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793700_25966', total_run_time=17.11, event_count=0, result_count=0, available_count=0, scan_count=26710923, drop_count=0, exec_time=1654793749, api_et=1654779300.000000000, api_lt=1654793700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779300.000000000, search_lt=1654793700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=26710923, total_slices=1520422, decompressed_slices=424186, duration.command.search.index=9510, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68269, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13403364, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:55:32.572, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793640_25950', total_run_time=17.80, event_count=0, result_count=0, available_count=0, scan_count=26685511, drop_count=0, exec_time=1654793690, api_et=1654779240.000000000, api_lt=1654793640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779240.000000000, search_lt=1654793640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3157", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=26685511, total_slices=1518305, decompressed_slices=423828, duration.command.search.index=10406, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64667, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13399114, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:54:37.098, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793580_25933', total_run_time=15.33, event_count=0, result_count=0, available_count=0, scan_count=26662527, drop_count=0, exec_time=1654793629, api_et=1654779180.000000000, api_lt=1654793580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779180.000000000, search_lt=1654793580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=26662527, total_slices=1516186, decompressed_slices=423543, duration.command.search.index=9924, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63338, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13395703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:54:35.521, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793520_25909', total_run_time=15.94, event_count=0, result_count=0, available_count=0, scan_count=26635673, drop_count=0, exec_time=1654793569, api_et=1654779120.000000000, api_lt=1654793520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779120.000000000, search_lt=1654793520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=26635673, total_slices=1514129, decompressed_slices=423237, duration.command.search.index=9764, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68039, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13391066, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:54:34.112, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793460_25892', total_run_time=16.89, event_count=0, result_count=0, available_count=0, scan_count=26612284, drop_count=0, exec_time=1654793509, api_et=1654779060.000000000, api_lt=1654793460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779060.000000000, search_lt=1654793460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=26612284, total_slices=1512114, decompressed_slices=422923, duration.command.search.index=10534, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68489, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13388074, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:51:27.552, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793400_25868', total_run_time=16.28, event_count=0, result_count=0, available_count=0, scan_count=26589102, drop_count=0, exec_time=1654793450, api_et=1654779000.000000000, api_lt=1654793400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779000.000000000, search_lt=1654793400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=26589102, total_slices=1510104, decompressed_slices=422576, duration.command.search.index=9989, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70666, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13383879, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:50:32.742, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793340_25845', total_run_time=22.53, event_count=0, result_count=0, available_count=0, scan_count=26565276, drop_count=0, exec_time=1654793389, api_et=1654778940.000000000, api_lt=1654793340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778940.000000000, search_lt=1654793340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=26565276, total_slices=1508091, decompressed_slices=422212, duration.command.search.index=9911, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81121, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13380235, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:50:30.360, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793280_25822', total_run_time=17.18, event_count=0, result_count=0, available_count=0, scan_count=26539764, drop_count=0, exec_time=1654793329, api_et=1654778880.000000000, api_lt=1654793280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778880.000000000, search_lt=1654793280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=26539764, total_slices=1506117, decompressed_slices=421807, duration.command.search.index=10527, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70232, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13376277, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:50:28.760, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793220_25806', total_run_time=15.52, event_count=0, result_count=0, available_count=0, scan_count=26508305, drop_count=0, exec_time=1654793269, api_et=1654778820.000000000, api_lt=1654793220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778820.000000000, search_lt=1654793220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2813", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=26508305, total_slices=1503932, decompressed_slices=421416, duration.command.search.index=9805, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65212, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13368473, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:50:28.507, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793160_25784', total_run_time=14.94, event_count=0, result_count=0, available_count=0, scan_count=26484598, drop_count=0, exec_time=1654793209, api_et=1654778760.000000000, api_lt=1654793160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778760.000000000, search_lt=1654793160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2676", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=26484598, total_slices=1501480, decompressed_slices=421156, duration.command.search.index=9344, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63116, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13365186, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:46:22.723, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793100_25766', total_run_time=16.37, event_count=0, result_count=0, available_count=0, scan_count=26462498, drop_count=0, exec_time=1654793150, api_et=1654778700.000000000, api_lt=1654793100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778700.000000000, search_lt=1654793100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2775", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=26462498, total_slices=1499965, decompressed_slices=420838, duration.command.search.index=9292, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66678, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13362772, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:45:10.760, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654793040_25744', total_run_time=15.72, event_count=0, result_count=0, available_count=0, scan_count=26436486, drop_count=0, exec_time=1654793089, api_et=1654778640.000000000, api_lt=1654793040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778640.000000000, search_lt=1654793040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=26436486, total_slices=1497913, decompressed_slices=420350, duration.command.search.index=9334, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66142, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13358169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:44:53.993, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654792980_25720', total_run_time=21.90, event_count=0, result_count=0, available_count=0, scan_count=3666, drop_count=0, exec_time=1654793018, api_et=1654789380.000000000, api_lt=1654792980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654789380.000000000, search_lt=1654793020.494273000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0c95d5bca71f4b8e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=3666, total_slices=1240807, decompressed_slices=1089, duration.command.search.index=1169, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4969, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:44:52.879, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792860_25672', total_run_time=16.84, event_count=0, result_count=0, available_count=0, scan_count=26352953, drop_count=0, exec_time=1654792909, api_et=1654778460.000000000, api_lt=1654792860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778460.000000000, search_lt=1654792860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=26352953, total_slices=1491727, decompressed_slices=419415, duration.command.search.index=9893, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68354, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13347350, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:44:52.509, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792920_25695', total_run_time=18.36, event_count=0, result_count=0, available_count=0, scan_count=26389097, drop_count=0, exec_time=1654792969, api_et=1654778520.000000000, api_lt=1654792920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778520.000000000, search_lt=1654792920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=26389097, total_slices=1493568, decompressed_slices=419805, duration.command.search.index=9788, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68739, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13351902, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:44:52.342, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792800_25646', total_run_time=20.37, event_count=0, result_count=0, available_count=0, scan_count=26322690, drop_count=0, exec_time=1654792849, api_et=1654778400.000000000, api_lt=1654792800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778400.000000000, search_lt=1654792800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=26322690, total_slices=1489801, decompressed_slices=418945, duration.command.search.index=11271, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76687, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13342279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:44:52.134, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792980_25723', total_run_time=15.89, event_count=0, result_count=0, available_count=0, scan_count=26412852, drop_count=0, exec_time=1654793029, api_et=1654778580.000000000, api_lt=1654792980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778580.000000000, search_lt=1654792980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3427", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=26412852, total_slices=1495810, decompressed_slices=420095, duration.command.search.index=9791, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65809, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13355130, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:40:28.653, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792740_25625', total_run_time=19.72, event_count=0, result_count=0, available_count=0, scan_count=26289383, drop_count=0, exec_time=1654792790, api_et=1654778340.000000000, api_lt=1654792740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778340.000000000, search_lt=1654792740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=26289383, total_slices=1487715, decompressed_slices=418562, duration.command.search.index=9605, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73628, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13334194, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:30.588, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792380_25512', total_run_time=19.70, event_count=0, result_count=0, available_count=0, scan_count=26067293, drop_count=0, exec_time=1654792429, api_et=1654777980.000000000, api_lt=1654792380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777980.000000000, search_lt=1654792380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2903", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=26067293, total_slices=1474932, decompressed_slices=416035, duration.command.search.index=11676, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80967, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13244433, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:30.169, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792320_25476', total_run_time=21.90, event_count=0, result_count=0, available_count=0, scan_count=26031737, drop_count=0, exec_time=1654792369, api_et=1654777920.000000000, api_lt=1654792320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777920.000000000, search_lt=1654792320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=26031737, total_slices=1472788, decompressed_slices=415694, duration.command.search.index=11799, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85461, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13228950, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:28.002, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792620_25594', total_run_time=17.54, event_count=0, result_count=0, available_count=0, scan_count=26208635, drop_count=0, exec_time=1654792670, api_et=1654778220.000000000, api_lt=1654792620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778220.000000000, search_lt=1654792620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=26208635, total_slices=1483436, decompressed_slices=417725, duration.command.search.index=9362, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63145, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13300778, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:27.857, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654792380_25498', total_run_time=70.70, event_count=0, result_count=0, available_count=0, scan_count=41234208, drop_count=0, exec_time=1654792405, api_et=1654788780.000000000, api_lt=1654792380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654788780.000000000, search_lt=1654792407.171039000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_19e59d2b46f50441", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=130, considered_events=41234208, total_slices=14144268, decompressed_slices=4186977, duration.command.search.index=16176, invocations.command.search.index.bucketcache.hit=1869, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=248440, invocations.command.search.rawdata.bucketcache.hit=297, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:39:27.619, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792560_25579', total_run_time=15.99, event_count=0, result_count=0, available_count=0, scan_count=26172116, drop_count=0, exec_time=1654792610, api_et=1654778160.000000000, api_lt=1654792560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778160.000000000, search_lt=1654792560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=26172116, total_slices=1480769, decompressed_slices=417207, duration.command.search.index=9336, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65772, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13287871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:27.386, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792500_25569', total_run_time=15.43, event_count=0, result_count=0, available_count=0, scan_count=26138517, drop_count=0, exec_time=1654792550, api_et=1654778100.000000000, api_lt=1654792500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778100.000000000, search_lt=1654792500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=1, considered_events=26138517, total_slices=1479099, decompressed_slices=416815, duration.command.search.index=9309, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63377, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13275413, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:26.637, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792680_25609', total_run_time=15.44, event_count=0, result_count=0, available_count=0, scan_count=26251241, drop_count=0, exec_time=1654792729, api_et=1654778280.000000000, api_lt=1654792680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778280.000000000, search_lt=1654792680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2984", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=26251241, total_slices=1485487, decompressed_slices=418102, duration.command.search.index=9474, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63630, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13318490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:39:25.555, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792440_25548', total_run_time=17.76, event_count=0, result_count=0, available_count=0, scan_count=26102724, drop_count=0, exec_time=1654792490, api_et=1654778040.000000000, api_lt=1654792440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778040.000000000, search_lt=1654792440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2844", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=26102724, total_slices=1476939, decompressed_slices=416361, duration.command.search.index=10706, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71028, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13261594, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:32:20.919, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792260_25447', total_run_time=22.42, event_count=0, result_count=0, available_count=0, scan_count=25996769, drop_count=0, exec_time=1654792309, api_et=1654777860.000000000, api_lt=1654792260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777860.000000000, search_lt=1654792260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3287", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25996769, total_slices=1470833, decompressed_slices=415337, duration.command.search.index=12642, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90604, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13216890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:31:35.774, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792200_25419', total_run_time=23.74, event_count=0, result_count=0, available_count=0, scan_count=25961472, drop_count=0, exec_time=1654792250, api_et=1654777800.000000000, api_lt=1654792200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777800.000000000, search_lt=1654792200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2988", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25961472, total_slices=1468786, decompressed_slices=415070, duration.command.search.index=12135, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91215, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13206157, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:31:09.777, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792140_25390', total_run_time=17.31, event_count=0, result_count=0, available_count=0, scan_count=25923082, drop_count=0, exec_time=1654792189, api_et=1654777740.000000000, api_lt=1654792140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777740.000000000, search_lt=1654792140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25923082, total_slices=1466669, decompressed_slices=414571, duration.command.search.index=9078, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69055, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13192831, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:31:08.935, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792080_25370', total_run_time=17.71, event_count=0, result_count=0, available_count=0, scan_count=25879983, drop_count=0, exec_time=1654792129, api_et=1654777680.000000000, api_lt=1654792080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777680.000000000, search_lt=1654792080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25879983, total_slices=1464536, decompressed_slices=414085, duration.command.search.index=9214, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67671, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13173823, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:31:06.369, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654792020_25351', total_run_time=16.34, event_count=0, result_count=0, available_count=0, scan_count=25846019, drop_count=0, exec_time=1654792069, api_et=1654777620.000000000, api_lt=1654792020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777620.000000000, search_lt=1654792020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25846019, total_slices=1462398, decompressed_slices=413691, duration.command.search.index=8842, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64608, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13160895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:27:15.426, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791960_25332', total_run_time=13.56, event_count=0, result_count=0, available_count=0, scan_count=25806056, drop_count=0, exec_time=1654792010, api_et=1654777560.000000000, api_lt=1654791960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777560.000000000, search_lt=1654791960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2553", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25806056, total_slices=1460403, decompressed_slices=413268, duration.command.search.index=8980, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63680, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13143888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:26:15.384, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791900_25316', total_run_time=15.18, event_count=0, result_count=0, available_count=0, scan_count=25769054, drop_count=0, exec_time=1654791950, api_et=1654777500.000000000, api_lt=1654791900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777500.000000000, search_lt=1654791900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3082", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25769054, total_slices=1458354, decompressed_slices=412827, duration.command.search.index=9004, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63734, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13130446, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:25:15.462, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791840_25303', total_run_time=16.56, event_count=0, result_count=0, available_count=0, scan_count=25739374, drop_count=0, exec_time=1654791890, api_et=1654777440.000000000, api_lt=1654791840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777440.000000000, search_lt=1654791840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2908", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25739374, total_slices=1456162, decompressed_slices=412515, duration.command.search.index=9371, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63222, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13121882, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:24:15.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791780_25284', total_run_time=13.96, event_count=0, result_count=0, available_count=0, scan_count=25704490, drop_count=0, exec_time=1654791829, api_et=1654777380.000000000, api_lt=1654791780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777380.000000000, search_lt=1654791780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25704490, total_slices=1454064, decompressed_slices=412110, duration.command.search.index=9189, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59577, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13108167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:23:31.401, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791720_25252', total_run_time=15.72, event_count=0, result_count=0, available_count=0, scan_count=25671027, drop_count=0, exec_time=1654791769, api_et=1654777320.000000000, api_lt=1654791720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777320.000000000, search_lt=1654791720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2871", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25671027, total_slices=1451892, decompressed_slices=411751, duration.command.search.index=9235, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61632, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13097122, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:23:01.582, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654791600_25209', total_run_time=19.69, event_count=13075868, result_count=15, available_count=0, scan_count=25610056, drop_count=0, exec_time=1654791657, api_et=1654777200.000000000, api_lt=1654791600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777200.000000000, search_lt=1654791600.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2509", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25610056, total_slices=1448111, decompressed_slices=411171, duration.command.search.index=9864, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68608, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13075868, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:23:01.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791660_25236', total_run_time=14.38, event_count=0, result_count=0, available_count=0, scan_count=25635012, drop_count=0, exec_time=1654791710, api_et=1654777260.000000000, api_lt=1654791660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777260.000000000, search_lt=1654791660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2849", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25635012, total_slices=1449846, decompressed_slices=411410, duration.command.search.index=9495, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61969, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13084555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:22:59.458, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791480_25156', total_run_time=16.55, event_count=0, result_count=0, available_count=0, scan_count=25555436, drop_count=0, exec_time=1654791530, api_et=1654777080.000000000, api_lt=1654791480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777080.000000000, search_lt=1654791480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25555436, total_slices=1443850, decompressed_slices=410295, duration.command.search.index=10565, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68209, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13060790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:22:59.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791600_25205', total_run_time=16.08, event_count=0, result_count=0, available_count=0, scan_count=25610067, drop_count=0, exec_time=1654791649, api_et=1654777200.000000000, api_lt=1654791600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777200.000000000, search_lt=1654791600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25610067, total_slices=1447887, decompressed_slices=411170, duration.command.search.index=10131, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65677, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13075868, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:22:58.837, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791540_25182', total_run_time=17.86, event_count=0, result_count=0, available_count=0, scan_count=25582788, drop_count=0, exec_time=1654791590, api_et=1654777140.000000000, api_lt=1654791540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777140.000000000, search_lt=1654791540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25582788, total_slices=1445839, decompressed_slices=410736, duration.command.search.index=9696, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72066, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13070093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:22:58.119, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791420_25136', total_run_time=15.69, event_count=0, result_count=0, available_count=0, scan_count=25527605, drop_count=0, exec_time=1654791469, api_et=1654777020.000000000, api_lt=1654791420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777020.000000000, search_lt=1654791420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25527605, total_slices=1441490, decompressed_slices=409908, duration.command.search.index=9551, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65174, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13051224, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:17:27.607, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791360_25112', total_run_time=24.18, event_count=0, result_count=0, available_count=0, scan_count=25493897, drop_count=0, exec_time=1654791409, api_et=1654776960.000000000, api_lt=1654791360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776960.000000000, search_lt=1654791360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25493897, total_slices=1439135, decompressed_slices=409534, duration.command.search.index=10164, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70252, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13039449, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:16:56.459, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654791360_25106', total_run_time=23.24, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654791371, api_et=1654787160.000000000, api_lt=1654790760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654787760.000000000, search_lt=1654791373.229343000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3429", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1f2c3ab94d9f330b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1066, eliminated_buckets=378, considered_events=3, total_slices=1165, decompressed_slices=1, duration.command.search.index=2724, invocations.command.search.index.bucketcache.hit=1066, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=212, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:16:27.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791300_25095', total_run_time=18.41, event_count=0, result_count=0, available_count=0, scan_count=25474965, drop_count=0, exec_time=1654791350, api_et=1654776900.000000000, api_lt=1654791300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776900.000000000, search_lt=1654791300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3109", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25474965, total_slices=1437592, decompressed_slices=409299, duration.command.search.index=10041, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69924, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13034283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:15:25.920, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791240_25076', total_run_time=19.44, event_count=0, result_count=0, available_count=0, scan_count=25448282, drop_count=0, exec_time=1654791289, api_et=1654776840.000000000, api_lt=1654791240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776840.000000000, search_lt=1654791240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25448282, total_slices=1435578, decompressed_slices=409003, duration.command.search.index=9906, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68860, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13027401, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:14:56.030, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654791240_25063', total_run_time=6.55, event_count=0, result_count=0, available_count=0, scan_count=18412, drop_count=0, exec_time=1654791263, api_et=1654787640.000000000, api_lt=1654791240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654787640.000000000, search_lt=1654791265.058726000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2978", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=291, considered_events=18444, total_slices=443794, decompressed_slices=5155, duration.command.search.index=1664, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7373, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=108, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=586, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1533, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=369, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=15, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=499, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=13, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 16:14:26.146, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791180_25053', total_run_time=16.96, event_count=0, result_count=0, available_count=0, scan_count=25423056, drop_count=0, exec_time=1654791230, api_et=1654776780.000000000, api_lt=1654791180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776780.000000000, search_lt=1654791180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25423056, total_slices=1433551, decompressed_slices=408593, duration.command.search.index=10235, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66890, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13020939, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:13:25.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791120_25025', total_run_time=13.98, event_count=0, result_count=0, available_count=0, scan_count=25396922, drop_count=0, exec_time=1654791170, api_et=1654776720.000000000, api_lt=1654791120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776720.000000000, search_lt=1654791120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25396922, total_slices=1431467, decompressed_slices=408219, duration.command.search.index=8780, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63991, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13014164, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:12:25.874, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791060_25007', total_run_time=15.40, event_count=0, result_count=0, available_count=0, scan_count=25368866, drop_count=0, exec_time=1654791109, api_et=1654776660.000000000, api_lt=1654791060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776660.000000000, search_lt=1654791060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3285", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=25368866, total_slices=1429630, decompressed_slices=407933, duration.command.search.index=9224, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65002, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13006999, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:11:27.646, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654791060_24990', total_run_time=5.26, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654791065, api_et=1654787460.000000000, api_lt=1654791060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654787460.000000000, search_lt=1654791067.999977000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3166", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3ba8d7f5536a1907", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:11:27.188, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654791000_24982', total_run_time=14.40, event_count=0, result_count=0, available_count=0, scan_count=25345763, drop_count=0, exec_time=1654791050, api_et=1654776600.000000000, api_lt=1654791000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776600.000000000, search_lt=1654791000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=25345763, total_slices=1427600, decompressed_slices=407834, duration.command.search.index=9153, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62544, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13000174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:10:15.096, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790940_24962', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=25319954, drop_count=0, exec_time=1654790989, api_et=1654776540.000000000, api_lt=1654790940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776540.000000000, search_lt=1654790940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2592", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25319954, total_slices=1425669, decompressed_slices=407591, duration.command.search.index=9367, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61791, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12993897, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:09:53.978, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790880_24946', total_run_time=15.85, event_count=0, result_count=0, available_count=0, scan_count=25290177, drop_count=0, exec_time=1654790930, api_et=1654776480.000000000, api_lt=1654790880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776480.000000000, search_lt=1654790880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25290177, total_slices=1423559, decompressed_slices=407292, duration.command.search.index=9898, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65233, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12984006, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:09:53.770, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790820_24930', total_run_time=16.17, event_count=0, result_count=0, available_count=0, scan_count=25261305, drop_count=0, exec_time=1654790869, api_et=1654776420.000000000, api_lt=1654790820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776420.000000000, search_lt=1654790820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25261305, total_slices=1421435, decompressed_slices=406818, duration.command.search.index=9928, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63490, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12975322, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:09:53.642, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654790820_24938', total_run_time=18.34, event_count=1317, result_count=56, available_count=0, scan_count=585932, drop_count=0, exec_time=1654790884, api_et=1654787220.000000000, api_lt=1654790820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654787220.000000000, search_lt=1654790886.417103000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2950", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=202, considered_events=592568, total_slices=714179, decompressed_slices=137353, duration.command.search.index=4127, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40664, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=453858, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46845, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 16:09:53.298, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654790940_24954', total_run_time=22.58, event_count=2, result_count=1, available_count=0, scan_count=4750971, drop_count=0, exec_time=1654790946, api_et=1654786740.000000000, api_lt=1654790340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654786740.000000000, search_lt=1654790340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3135", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a96d5554f1f3379f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=817, eliminated_buckets=395, considered_events=4750971, total_slices=1103428, decompressed_slices=222843, duration.command.search.index=1873, invocations.command.search.index.bucketcache.hit=815, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35135, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=173, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:07:56.969, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654790820_24925', total_run_time=6.49, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654790846, api_et=1654787220.000000000, api_lt=1654790820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654787220.000000000, search_lt=1654790848.466764000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2976", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c6738f62d30e419b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=918, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 16:07:26.941, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790760_24909', total_run_time=15.41, event_count=0, result_count=0, available_count=0, scan_count=25233128, drop_count=0, exec_time=1654790810, api_et=1654776360.000000000, api_lt=1654790760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776360.000000000, search_lt=1654790760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3277", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25233128, total_slices=1419528, decompressed_slices=406554, duration.command.search.index=9706, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63666, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12966800, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:06:26.646, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790700_24895', total_run_time=16.61, event_count=0, result_count=0, available_count=0, scan_count=25202476, drop_count=0, exec_time=1654790749, api_et=1654776300.000000000, api_lt=1654790700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776300.000000000, search_lt=1654790700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3263", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25202476, total_slices=1417517, decompressed_slices=406123, duration.command.search.index=10244, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67051, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12957490, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:05:16.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790640_24878', total_run_time=18.91, event_count=0, result_count=0, available_count=0, scan_count=25179505, drop_count=0, exec_time=1654790689, api_et=1654776240.000000000, api_lt=1654790640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776240.000000000, search_lt=1654790640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25179505, total_slices=1415391, decompressed_slices=405816, duration.command.search.index=11018, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73228, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12951015, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:04:54.366, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790580_24836', total_run_time=19.64, event_count=0, result_count=0, available_count=0, scan_count=25153359, drop_count=0, exec_time=1654790630, api_et=1654776180.000000000, api_lt=1654790580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776180.000000000, search_lt=1654790580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25153359, total_slices=1413506, decompressed_slices=405434, duration.command.search.index=12419, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90532, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12942828, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:04:53.904, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790520_24791', total_run_time=16.96, event_count=0, result_count=0, available_count=0, scan_count=25125375, drop_count=0, exec_time=1654790570, api_et=1654776120.000000000, api_lt=1654790520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776120.000000000, search_lt=1654790520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25125375, total_slices=1411328, decompressed_slices=405174, duration.command.search.index=9703, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66717, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12933034, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:02:06.885, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790460_24760', total_run_time=16.55, event_count=0, result_count=0, available_count=0, scan_count=25093770, drop_count=0, exec_time=1654790509, api_et=1654776060.000000000, api_lt=1654790460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776060.000000000, search_lt=1654790460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25093770, total_slices=1409401, decompressed_slices=404903, duration.command.search.index=10208, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71535, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12925694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 16:01:37.017, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654790400_24730', total_run_time=24.56, event_count=0, result_count=0, available_count=0, scan_count=25071469, drop_count=0, exec_time=1654790450, api_et=1654776000.000000000, api_lt=1654790400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776000.000000000, search_lt=1654790400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25071469, total_slices=1407320, decompressed_slices=404575, duration.command.search.index=10623, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78704, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12923348, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 15:44:02.903, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654789380_24444', total_run_time=20.96, event_count=0, result_count=0, available_count=0, scan_count=2879, drop_count=0, exec_time=1654789418, api_et=1654785780.000000000, api_lt=1654789380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654785780.000000000, search_lt=1654789420.171840000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2948", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a271146c2156fa1c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=2879, total_slices=1052320, decompressed_slices=885, duration.command.search.index=1165, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4859, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 15:38:01.517, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654788780_24238', total_run_time=49.80, event_count=0, result_count=0, available_count=0, scan_count=41274676, drop_count=0, exec_time=1654788805, api_et=1654785180.000000000, api_lt=1654788780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654785180.000000000, search_lt=1654788807.753548000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b971006ddfd5d006", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1863, eliminated_buckets=131, considered_events=41274676, total_slices=14378043, decompressed_slices=4149949, duration.command.search.index=14928, invocations.command.search.index.bucketcache.hit=1863, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=240547, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 15:16:40.707, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654787760_23897', total_run_time=13.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654787771, api_et=1654783560.000000000, api_lt=1654787160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654784160.000000000, search_lt=1654787772.952792000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3329", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5e909e5fcb951980", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1068, eliminated_buckets=380, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=932, invocations.command.search.index.bucketcache.hit=1068, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 15:14:40.891, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654787640_23848', total_run_time=5.09, event_count=0, result_count=0, available_count=0, scan_count=21806, drop_count=0, exec_time=1654787663, api_et=1654784040.000000000, api_lt=1654787640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654784040.000000000, search_lt=1654787665.055830000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=429, eliminated_buckets=289, considered_events=21937, total_slices=608921, decompressed_slices=5200, duration.command.search.index=1465, invocations.command.search.index.bucketcache.hit=429, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6148, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=88, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=469, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1117, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=272, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=801, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=20, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 15:11:10.889, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654787460_23782', total_run_time=5.67, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654787464, api_et=1654783860.000000000, api_lt=1654787460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654783860.000000000, search_lt=1654787467.363679000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5a293f8d37cb7af8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=59, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 15:10:26.901, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654787340_23749', total_run_time=20.12, event_count=0, result_count=0, available_count=0, scan_count=5189400, drop_count=0, exec_time=1654787345, api_et=1654783140.000000000, api_lt=1654786740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654783140.000000000, search_lt=1654786740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f4d486f1a2bcd008", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=810, eliminated_buckets=391, considered_events=5189400, total_slices=1143490, decompressed_slices=242598, duration.command.search.index=2112, invocations.command.search.index.bucketcache.hit=810, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35871, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 15:10:26.753, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654787220_23731', total_run_time=18.82, event_count=1363, result_count=57, available_count=0, scan_count=534302, drop_count=0, exec_time=1654787280, api_et=1654783620.000000000, api_lt=1654787220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654783620.000000000, search_lt=1654787282.384867000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3121", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=209, considered_events=542243, total_slices=643301, decompressed_slices=129213, duration.command.search.index=4071, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35724, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=415622, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46684, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 15:07:57.147, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654787220_23726', total_run_time=5.72, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654787246, api_et=1654783620.000000000, api_lt=1654787220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654783620.000000000, search_lt=1654787248.333083000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0135388c25622e6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=209, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=988, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:44:13.527, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654785780_23254', total_run_time=21.75, event_count=0, result_count=0, available_count=0, scan_count=4178, drop_count=0, exec_time=1654785818, api_et=1654782180.000000000, api_lt=1654785780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654782180.000000000, search_lt=1654785820.349501000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_714630e01ab81213", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=4178, total_slices=1105323, decompressed_slices=1428, duration.command.search.index=1050, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4911, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:36:27.542, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654785180_23045', total_run_time=105.36, event_count=0, result_count=0, available_count=0, scan_count=41341549, drop_count=0, exec_time=1654785205, api_et=1654781580.000000000, api_lt=1654785180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654781580.000000000, search_lt=1654785207.038973000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b1fccb3d801a38f7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1860, eliminated_buckets=131, considered_events=41341549, total_slices=14358027, decompressed_slices=4211696, duration.command.search.index=15858, invocations.command.search.index.bucketcache.hit=1860, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=236424, invocations.command.search.rawdata.bucketcache.hit=299, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:16:39.741, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654784160_22699', total_run_time=13.24, event_count=0, result_count=0, available_count=0, scan_count=12, drop_count=0, exec_time=1654784171, api_et=1654779960.000000000, api_lt=1654783560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654780560.000000000, search_lt=1654784173.030163000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3247", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5a20a70d427ca15e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1065, eliminated_buckets=380, considered_events=12, total_slices=23723, decompressed_slices=3, duration.command.search.index=1469, invocations.command.search.index.bucketcache.hit=1065, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=305, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:14:37.790, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654784040_22659', total_run_time=4.61, event_count=0, result_count=0, available_count=0, scan_count=19218, drop_count=0, exec_time=1654784063, api_et=1654780440.000000000, api_lt=1654784040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654780440.000000000, search_lt=1654784065.166629000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=286, considered_events=19725, total_slices=788554, decompressed_slices=4482, duration.command.search.index=1312, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5964, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=69, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=327, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=992, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=209, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=542, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=22, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 14:11:28.277, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654783860_22594', total_run_time=4.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654783864, api_et=1654780260.000000000, api_lt=1654783860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654780260.000000000, search_lt=1654783866.375124000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2288", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b45dfb3621767769", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=62, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:09:56.331, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654783740_22562', total_run_time=23.33, event_count=0, result_count=0, available_count=0, scan_count=5056570, drop_count=0, exec_time=1654783745, api_et=1654779540.000000000, api_lt=1654783140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654779540.000000000, search_lt=1654783140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3091", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a160c8f1e2e17d5a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=809, eliminated_buckets=388, considered_events=5056570, total_slices=1109670, decompressed_slices=237956, duration.command.search.index=1996, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37739, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=200, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 14:09:04.736, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654783620_22544', total_run_time=16.63, event_count=2206, result_count=103, available_count=0, scan_count=508233, drop_count=0, exec_time=1654783680, api_et=1654780020.000000000, api_lt=1654783620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654780020.000000000, search_lt=1654783682.407551000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=211, considered_events=514690, total_slices=523755, decompressed_slices=136362, duration.command.search.index=3530, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35883, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=404252, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=47986, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 14:07:56.323, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654783620_22539', total_run_time=5.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654783646, api_et=1654780020.000000000, api_lt=1654783620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654780020.000000000, search_lt=1654783648.555359000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_786a2810dae44ce4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=211, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=825, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:44:23.893, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654782180_22076', total_run_time=20.95, event_count=0, result_count=0, available_count=0, scan_count=2832, drop_count=0, exec_time=1654782218, api_et=1654778580.000000000, api_lt=1654782180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654778580.000000000, search_lt=1654782219.953251000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2746", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a954a6f53e48c06e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=2832, total_slices=973033, decompressed_slices=959, duration.command.search.index=1109, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4748, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:34:24.781, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654781580_21871', total_run_time=35.62, event_count=0, result_count=0, available_count=0, scan_count=41847832, drop_count=0, exec_time=1654781605, api_et=1654777980.000000000, api_lt=1654781580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654777980.000000000, search_lt=1654781607.428898000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3606", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_514cb0a39e504ae1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=131, considered_events=41847832, total_slices=14451302, decompressed_slices=4205860, duration.command.search.index=14503, invocations.command.search.index.bucketcache.hit=1870, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=225608, invocations.command.search.rawdata.bucketcache.hit=313, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:16:23.835, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654780560_21534', total_run_time=7.76, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654780571, api_et=1654776360.000000000, api_lt=1654779960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776960.000000000, search_lt=1654780573.133475000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3291", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d69bf90266dde1ea", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1068, eliminated_buckets=381, considered_events=1, total_slices=4538, decompressed_slices=1, duration.command.search.index=723, invocations.command.search.index.bucketcache.hit=1068, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=128, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:14:42.224, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654780440_21494', total_run_time=4.30, event_count=0, result_count=0, available_count=0, scan_count=18844, drop_count=0, exec_time=1654780463, api_et=1654776840.000000000, api_lt=1654780440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776840.000000000, search_lt=1654780465.084144000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2325", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=286, considered_events=19111, total_slices=807048, decompressed_slices=4129, duration.command.search.index=1218, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5922, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=236, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=866, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=133, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=374, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 13:11:23.916, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654780260_21428', total_run_time=4.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654780264, api_et=1654776660.000000000, api_lt=1654780260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776660.000000000, search_lt=1654780265.766543000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2269", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2eec1e4d862e446e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=71, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:09:36.872, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654780140_21396', total_run_time=20.80, event_count=4, result_count=4, available_count=0, scan_count=4944563, drop_count=0, exec_time=1654780145, api_et=1654775940.000000000, api_lt=1654779540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654775940.000000000, search_lt=1654779540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_20586f96756b2728", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=812, eliminated_buckets=386, considered_events=4944563, total_slices=1188974, decompressed_slices=231823, duration.command.search.index=1943, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34807, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=156, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:09:21.551, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654780020_21378', total_run_time=23.23, event_count=1979, result_count=101, available_count=0, scan_count=486559, drop_count=0, exec_time=1654780080, api_et=1654776420.000000000, api_lt=1654780020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776420.000000000, search_lt=1654780082.183273000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=493832, total_slices=438464, decompressed_slices=121079, duration.command.search.index=3703, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33115, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=387051, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=47112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 13:07:54.070, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654780020_21373', total_run_time=5.33, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654780046, api_et=1654776420.000000000, api_lt=1654780020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654776420.000000000, search_lt=1654780048.478296000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_04edb28175fc4a1f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=840, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 13:00:22.211, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779540_21184', total_run_time=12.83, event_count=0, result_count=0, available_count=0, scan_count=22355070, drop_count=0, exec_time=1654779590, api_et=1654765140.000000000, api_lt=1654779540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765140.000000000, search_lt=1654779540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22355070, total_slices=1097735, decompressed_slices=373952, duration.command.search.index=7785, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57522, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11858328, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:59:21.996, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779480_21171', total_run_time=12.73, event_count=0, result_count=0, available_count=0, scan_count=22354093, drop_count=0, exec_time=1654779530, api_et=1654765080.000000000, api_lt=1654779480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765080.000000000, search_lt=1654779480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22354093, total_slices=1096017, decompressed_slices=373945, duration.command.search.index=7830, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56066, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11853920, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:58:22.120, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779420_21156', total_run_time=13.53, event_count=0, result_count=0, available_count=0, scan_count=22348529, drop_count=0, exec_time=1654779470, api_et=1654765020.000000000, api_lt=1654779420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765020.000000000, search_lt=1654779420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22348529, total_slices=1094315, decompressed_slices=373916, duration.command.search.index=7985, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56289, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847696, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:57:21.831, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779360_21138', total_run_time=13.58, event_count=0, result_count=0, available_count=0, scan_count=22338899, drop_count=0, exec_time=1654779409, api_et=1654764960.000000000, api_lt=1654779360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764960.000000000, search_lt=1654779360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22338899, total_slices=1092577, decompressed_slices=373903, duration.command.search.index=8032, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55068, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11839105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:56:21.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779300_21127', total_run_time=15.62, event_count=0, result_count=0, available_count=0, scan_count=22331735, drop_count=0, exec_time=1654779349, api_et=1654764900.000000000, api_lt=1654779300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764900.000000000, search_lt=1654779300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2973", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22331735, total_slices=1090824, decompressed_slices=373991, duration.command.search.index=8319, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59400, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11832476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:55:21.845, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779240_21110', total_run_time=13.88, event_count=0, result_count=0, available_count=0, scan_count=22325841, drop_count=0, exec_time=1654779290, api_et=1654764840.000000000, api_lt=1654779240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764840.000000000, search_lt=1654779240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3047", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22325841, total_slices=1089170, decompressed_slices=374018, duration.command.search.index=8470, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53504, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11825905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:54:22.241, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779180_21093', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=22319915, drop_count=0, exec_time=1654779229, api_et=1654764780.000000000, api_lt=1654779180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764780.000000000, search_lt=1654779180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3289", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22319915, total_slices=1087471, decompressed_slices=373975, duration.command.search.index=8047, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54297, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11820135, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:53:50.035, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779120_21069', total_run_time=14.25, event_count=0, result_count=0, available_count=0, scan_count=22314221, drop_count=0, exec_time=1654779169, api_et=1654764720.000000000, api_lt=1654779120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764720.000000000, search_lt=1654779120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22314221, total_slices=1085690, decompressed_slices=373940, duration.command.search.index=8093, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57928, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11813958, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:52:21.872, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779060_21052', total_run_time=14.62, event_count=0, result_count=0, available_count=0, scan_count=22303206, drop_count=0, exec_time=1654779109, api_et=1654764660.000000000, api_lt=1654779060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764660.000000000, search_lt=1654779060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2690", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22303206, total_slices=1083963, decompressed_slices=373832, duration.command.search.index=8835, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57400, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11806221, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:51:21.935, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654779000_21027', total_run_time=15.56, event_count=0, result_count=0, available_count=0, scan_count=22298491, drop_count=0, exec_time=1654779049, api_et=1654764600.000000000, api_lt=1654779000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764600.000000000, search_lt=1654779000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22298491, total_slices=1082267, decompressed_slices=373852, duration.command.search.index=8638, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59775, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11801817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:50:14.550, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778820_20968', total_run_time=12.59, event_count=0, result_count=0, available_count=0, scan_count=22282261, drop_count=0, exec_time=1654778870, api_et=1654764420.000000000, api_lt=1654778820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764420.000000000, search_lt=1654778820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22282261, total_slices=1077027, decompressed_slices=374008, duration.command.search.index=8194, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53763, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11782929, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:50:14.306, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778880_20984', total_run_time=15.44, event_count=0, result_count=0, available_count=0, scan_count=22288790, drop_count=0, exec_time=1654778929, api_et=1654764480.000000000, api_lt=1654778880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764480.000000000, search_lt=1654778880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22288790, total_slices=1078831, decompressed_slices=373957, duration.command.search.index=8793, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62803, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11789614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:50:14.235, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778940_21005', total_run_time=14.04, event_count=0, result_count=0, available_count=0, scan_count=22293099, drop_count=0, exec_time=1654778989, api_et=1654764540.000000000, api_lt=1654778940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764540.000000000, search_lt=1654778940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22293099, total_slices=1080602, decompressed_slices=373921, duration.command.search.index=8408, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56170, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11795129, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:47:18.057, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778760_20947', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=22277449, drop_count=0, exec_time=1654778809, api_et=1654764360.000000000, api_lt=1654778760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764360.000000000, search_lt=1654778760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22277449, total_slices=1075426, decompressed_slices=373971, duration.command.search.index=7768, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55410, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11776916, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:46:18.072, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778700_20929', total_run_time=13.22, event_count=0, result_count=0, available_count=0, scan_count=22271078, drop_count=0, exec_time=1654778749, api_et=1654764300.000000000, api_lt=1654778700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764300.000000000, search_lt=1654778700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22271078, total_slices=1073720, decompressed_slices=373874, duration.command.search.index=7726, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57388, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11770723, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:45:18.582, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778640_20906', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=22265932, drop_count=0, exec_time=1654778690, api_et=1654764240.000000000, api_lt=1654778640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764240.000000000, search_lt=1654778640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22265932, total_slices=1072026, decompressed_slices=373910, duration.command.search.index=7893, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56204, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11765171, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:44:18.438, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654778580_20882', total_run_time=21.99, event_count=0, result_count=0, available_count=0, scan_count=3933, drop_count=0, exec_time=1654778618, api_et=1654774980.000000000, api_lt=1654778580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654774980.000000000, search_lt=1654778620.450699000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2990", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9aef5e691ab61074", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3933, total_slices=984980, decompressed_slices=1466, duration.command.search.index=1115, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4926, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:44:18.131, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778580_20885', total_run_time=14.39, event_count=0, result_count=0, available_count=0, scan_count=22260775, drop_count=0, exec_time=1654778630, api_et=1654764180.000000000, api_lt=1654778580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764180.000000000, search_lt=1654778580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3407", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22260775, total_slices=1070333, decompressed_slices=373980, duration.command.search.index=7952, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57970, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11758065, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:43:18.393, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778520_20857', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=22259244, drop_count=0, exec_time=1654778569, api_et=1654764120.000000000, api_lt=1654778520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764120.000000000, search_lt=1654778520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22259244, total_slices=1068049, decompressed_slices=373971, duration.command.search.index=8192, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56375, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11752915, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:42:24.790, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778400_20808', total_run_time=19.48, event_count=0, result_count=0, available_count=0, scan_count=22253705, drop_count=0, exec_time=1654778449, api_et=1654764000.000000000, api_lt=1654778400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764000.000000000, search_lt=1654778400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22253705, total_slices=1065364, decompressed_slices=374127, duration.command.search.index=8451, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60845, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11741218, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:42:24.719, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778280_20771', total_run_time=16.10, event_count=0, result_count=0, available_count=0, scan_count=22255202, drop_count=0, exec_time=1654778329, api_et=1654763880.000000000, api_lt=1654778280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763880.000000000, search_lt=1654778280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22255202, total_slices=1061919, decompressed_slices=374330, duration.command.search.index=8887, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62853, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11736671, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:42:24.500, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778220_20756', total_run_time=15.19, event_count=0, result_count=0, available_count=0, scan_count=22254799, drop_count=0, exec_time=1654778270, api_et=1654763820.000000000, api_lt=1654778220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763820.000000000, search_lt=1654778220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22254799, total_slices=1060286, decompressed_slices=374373, duration.command.search.index=8207, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57266, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11732958, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:42:24.379, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778340_20787', total_run_time=17.10, event_count=0, result_count=0, available_count=0, scan_count=22255738, drop_count=0, exec_time=1654778389, api_et=1654763940.000000000, api_lt=1654778340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763940.000000000, search_lt=1654778340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22255738, total_slices=1063615, decompressed_slices=374210, duration.command.search.index=8878, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57066, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11739558, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:42:24.043, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778460_20834', total_run_time=13.25, event_count=0, result_count=0, available_count=0, scan_count=22256773, drop_count=0, exec_time=1654778509, api_et=1654764060.000000000, api_lt=1654778460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764060.000000000, search_lt=1654778460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2690", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22256773, total_slices=1066956, decompressed_slices=374021, duration.command.search.index=8598, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57420, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11747264, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:37:04.460, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778160_20741', total_run_time=13.43, event_count=0, result_count=0, available_count=0, scan_count=22250866, drop_count=0, exec_time=1654778210, api_et=1654763760.000000000, api_lt=1654778160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763760.000000000, search_lt=1654778160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22250866, total_slices=1058589, decompressed_slices=374409, duration.command.search.index=8023, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55530, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728244, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:36:42.812, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778100_20731', total_run_time=13.91, event_count=0, result_count=0, available_count=0, scan_count=22251918, drop_count=0, exec_time=1654778150, api_et=1654763700.000000000, api_lt=1654778100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763700.000000000, search_lt=1654778100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22251918, total_slices=1057015, decompressed_slices=374502, duration.command.search.index=8545, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56807, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:36:42.450, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777920_20637', total_run_time=19.46, event_count=0, result_count=0, available_count=0, scan_count=22263713, drop_count=0, exec_time=1654777970, api_et=1654763520.000000000, api_lt=1654777920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763520.000000000, search_lt=1654777920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22263713, total_slices=1052004, decompressed_slices=374808, duration.command.search.index=10230, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72933, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728301, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:36:42.132, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654778040_20710', total_run_time=15.43, event_count=0, result_count=0, available_count=0, scan_count=22257386, drop_count=0, exec_time=1654778089, api_et=1654763640.000000000, api_lt=1654778040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763640.000000000, search_lt=1654778040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22257386, total_slices=1055265, decompressed_slices=374660, duration.command.search.index=8909, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60177, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11726483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:36:41.921, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777980_20674', total_run_time=17.33, event_count=0, result_count=0, available_count=0, scan_count=22260454, drop_count=0, exec_time=1654778029, api_et=1654763580.000000000, api_lt=1654777980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763580.000000000, search_lt=1654777980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2727", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22260454, total_slices=1053667, decompressed_slices=374759, duration.command.search.index=10134, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70130, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11726929, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:36:41.756, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654777980_20660', total_run_time=38.23, event_count=0, result_count=0, available_count=0, scan_count=42064793, drop_count=0, exec_time=1654778005, api_et=1654774380.000000000, api_lt=1654777980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654774380.000000000, search_lt=1654778007.303401000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0417fb8e8a90d10d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1863, eliminated_buckets=131, considered_events=42064793, total_slices=14510362, decompressed_slices=4205468, duration.command.search.index=14670, invocations.command.search.index.bucketcache.hit=1863, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229959, invocations.command.search.rawdata.bucketcache.hit=309, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:32:12.775, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777860_20607', total_run_time=18.86, event_count=0, result_count=0, available_count=0, scan_count=22263577, drop_count=0, exec_time=1654777909, api_et=1654763460.000000000, api_lt=1654777860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763460.000000000, search_lt=1654777860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3143", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22263577, total_slices=1050383, decompressed_slices=374824, duration.command.search.index=10115, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75421, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725968, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:31:12.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777800_20579', total_run_time=22.16, event_count=0, result_count=0, available_count=0, scan_count=22264973, drop_count=0, exec_time=1654777849, api_et=1654763400.000000000, api_lt=1654777800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763400.000000000, search_lt=1654777800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22264973, total_slices=1048731, decompressed_slices=374908, duration.command.search.index=12018, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87689, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725060, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:30:29.243, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777740_20550', total_run_time=14.39, event_count=0, result_count=0, available_count=0, scan_count=22266767, drop_count=0, exec_time=1654777790, api_et=1654763340.000000000, api_lt=1654777740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763340.000000000, search_lt=1654777740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2562", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22266767, total_slices=1047014, decompressed_slices=374993, duration.command.search.index=8118, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58419, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11724360, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:30:03.004, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777680_20537', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=22268806, drop_count=0, exec_time=1654777729, api_et=1654763280.000000000, api_lt=1654777680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763280.000000000, search_lt=1654777680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22268806, total_slices=1045303, decompressed_slices=375155, duration.command.search.index=8657, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56485, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11723355, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:30:02.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777620_20523', total_run_time=15.78, event_count=0, result_count=0, available_count=0, scan_count=22270401, drop_count=0, exec_time=1654777669, api_et=1654763220.000000000, api_lt=1654777620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763220.000000000, search_lt=1654777620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22270401, total_slices=1043606, decompressed_slices=375231, duration.command.search.index=8167, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57767, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11721951, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:27:17.810, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777560_20504', total_run_time=14.76, event_count=0, result_count=0, available_count=0, scan_count=22268058, drop_count=0, exec_time=1654777609, api_et=1654763160.000000000, api_lt=1654777560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763160.000000000, search_lt=1654777560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2575", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22268058, total_slices=1041974, decompressed_slices=375176, duration.command.search.index=8350, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57096, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11719660, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:26:17.583, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777500_20488', total_run_time=18.55, event_count=0, result_count=0, available_count=0, scan_count=22264844, drop_count=0, exec_time=1654777549, api_et=1654763100.000000000, api_lt=1654777500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763100.000000000, search_lt=1654777500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3162", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22264844, total_slices=1040306, decompressed_slices=375240, duration.command.search.index=7883, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58182, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11714852, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:25:17.508, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777440_20474', total_run_time=19.68, event_count=0, result_count=0, available_count=0, scan_count=22266177, drop_count=0, exec_time=1654777490, api_et=1654763040.000000000, api_lt=1654777440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763040.000000000, search_lt=1654777440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22266177, total_slices=1038617, decompressed_slices=375239, duration.command.search.index=9062, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60012, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11711905, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:24:17.663, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777380_20455', total_run_time=19.10, event_count=0, result_count=0, available_count=0, scan_count=22262243, drop_count=0, exec_time=1654777429, api_et=1654762980.000000000, api_lt=1654777380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762980.000000000, search_lt=1654777380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22262243, total_slices=1036843, decompressed_slices=375189, duration.command.search.index=8744, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58035, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11706531, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:23:17.547, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777320_20423', total_run_time=22.07, event_count=0, result_count=0, available_count=0, scan_count=22259312, drop_count=0, exec_time=1654777369, api_et=1654762920.000000000, api_lt=1654777320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762920.000000000, search_lt=1654777320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22259312, total_slices=1035111, decompressed_slices=375164, duration.command.search.index=8955, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62800, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:22:33.695, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777260_20407', total_run_time=22.02, event_count=0, result_count=0, available_count=0, scan_count=22258040, drop_count=0, exec_time=1654777309, api_et=1654762860.000000000, api_lt=1654777260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762860.000000000, search_lt=1654777260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22258040, total_slices=1033490, decompressed_slices=375145, duration.command.search.index=8600, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60798, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11700613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:22:05.071, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777140_20356', total_run_time=35.54, event_count=0, result_count=0, available_count=0, scan_count=22248923, drop_count=0, exec_time=1654777189, api_et=1654762740.000000000, api_lt=1654777140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762740.000000000, search_lt=1654777140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22248923, total_slices=1030246, decompressed_slices=375147, duration.command.search.index=8880, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62491, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11693771, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:22:04.895, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777080_20330', total_run_time=33.79, event_count=0, result_count=0, available_count=0, scan_count=22244948, drop_count=0, exec_time=1654777129, api_et=1654762680.000000000, api_lt=1654777080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762680.000000000, search_lt=1654777080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22244948, total_slices=1028714, decompressed_slices=375247, duration.command.search.index=9214, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68042, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11690855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:22:04.762, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777200_20379', total_run_time=40.58, event_count=0, result_count=0, available_count=0, scan_count=22251366, drop_count=0, exec_time=1654777249, api_et=1654762800.000000000, api_lt=1654777200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762800.000000000, search_lt=1654777200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3028", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22251366, total_slices=1031866, decompressed_slices=375143, duration.command.search.index=8564, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63946, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11696824, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:22:04.515, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654777020_20309', total_run_time=34.20, event_count=0, result_count=0, available_count=0, scan_count=22241497, drop_count=0, exec_time=1654777069, api_et=1654762620.000000000, api_lt=1654777020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762620.000000000, search_lt=1654777020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22241497, total_slices=1026902, decompressed_slices=375232, duration.command.search.index=8980, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66074, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11687555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:17:43.659, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776960_20286', total_run_time=24.88, event_count=0, result_count=0, available_count=0, scan_count=22233369, drop_count=0, exec_time=1654777009, api_et=1654762560.000000000, api_lt=1654776960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762560.000000000, search_lt=1654776960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2600", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22233369, total_slices=1025334, decompressed_slices=375165, duration.command.search.index=8858, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67446, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11681591, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:16:43.584, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776900_20269', total_run_time=28.13, event_count=0, result_count=0, available_count=0, scan_count=22227040, drop_count=0, exec_time=1654776950, api_et=1654762500.000000000, api_lt=1654776900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762500.000000000, search_lt=1654776900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22227040, total_slices=1023640, decompressed_slices=375127, duration.command.search.index=9230, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71687, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11676011, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:16:43.567, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654776960_20280', total_run_time=8.69, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654776970, api_et=1654772760.000000000, api_lt=1654776360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654773360.000000000, search_lt=1654776973.009420000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0a4f11669a5e2fac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1066, eliminated_buckets=381, considered_events=1, total_slices=8394, decompressed_slices=1, duration.command.search.index=677, invocations.command.search.index.bucketcache.hit=1066, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:15:13.545, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776840_20250', total_run_time=20.94, event_count=0, result_count=0, available_count=0, scan_count=22223604, drop_count=0, exec_time=1654776889, api_et=1654762440.000000000, api_lt=1654776840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762440.000000000, search_lt=1654776840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22223604, total_slices=1021823, decompressed_slices=375127, duration.command.search.index=8707, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66284, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11670870, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:14:43.657, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776780_20227', total_run_time=26.08, event_count=0, result_count=0, available_count=0, scan_count=22219215, drop_count=0, exec_time=1654776829, api_et=1654762380.000000000, api_lt=1654776780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762380.000000000, search_lt=1654776780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22219215, total_slices=1020151, decompressed_slices=375240, duration.command.search.index=9451, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71884, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11666386, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:14:43.315, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654776840_20237', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=13516, drop_count=0, exec_time=1654776863, api_et=1654773240.000000000, api_lt=1654776840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654773240.000000000, search_lt=1654776865.654208000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=286, considered_events=13653, total_slices=832535, decompressed_slices=3370, duration.command.search.index=1089, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6244, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=159, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=326, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=78, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=473, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 12:13:13.465, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776720_20199', total_run_time=20.92, event_count=0, result_count=0, available_count=0, scan_count=22216704, drop_count=0, exec_time=1654776769, api_et=1654762320.000000000, api_lt=1654776720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762320.000000000, search_lt=1654776720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22216704, total_slices=1018351, decompressed_slices=375253, duration.command.search.index=8356, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60312, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11660673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:12:13.350, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776660_20181', total_run_time=23.54, event_count=0, result_count=0, available_count=0, scan_count=22210383, drop_count=0, exec_time=1654776709, api_et=1654762260.000000000, api_lt=1654776660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762260.000000000, search_lt=1654776660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3017", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22210383, total_slices=1016582, decompressed_slices=375233, duration.command.search.index=8601, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60410, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11654230, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:11:13.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776600_20156', total_run_time=13.83, event_count=0, result_count=0, available_count=0, scan_count=22202626, drop_count=0, exec_time=1654776650, api_et=1654762200.000000000, api_lt=1654776600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762200.000000000, search_lt=1654776600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2981", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22202626, total_slices=1015147, decompressed_slices=375217, duration.command.search.index=8093, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57482, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11646772, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:11:13.342, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654776660_20163', total_run_time=5.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654776664, api_et=1654773060.000000000, api_lt=1654776660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654773060.000000000, search_lt=1654776667.258630000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3222", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_47c94549ed47085d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=68, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:10:32.409, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654776000_20051', total_run_time=341.25, event_count=2696, result_count=2695, available_count=0, scan_count=1756947, drop_count=0, exec_time=1654776290, api_et=1654689600.000000000, api_lt=1654776000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654776000.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="65099", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_0ae7f3ab2db4e612", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4771, considered_events=1756947, total_slices=14083500, decompressed_slices=1089755, duration.command.search.index=1292834, invocations.command.search.index.bucketcache.hit=26523, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3929, duration.command.search.index.bucketcache.miss=749574, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=219718, invocations.command.search.rawdata.bucketcache.hit=18769, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1574, duration.command.search.rawdata.bucketcache.miss=518224, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-09-2022 12:10:10.748, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776420_20102', total_run_time=13.88, event_count=0, result_count=0, available_count=0, scan_count=22196519, drop_count=0, exec_time=1654776469, api_et=1654762020.000000000, api_lt=1654776420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762020.000000000, search_lt=1654776420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22196519, total_slices=1010023, decompressed_slices=375390, duration.command.search.index=8402, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56170, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11632215, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:10:10.538, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654776420_20110', total_run_time=15.87, event_count=1198, result_count=56, available_count=0, scan_count=367398, drop_count=0, exec_time=1654776484, api_et=1654772820.000000000, api_lt=1654776420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654772820.000000000, search_lt=1654776485.971300000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=203, considered_events=378057, total_slices=504981, decompressed_slices=108447, duration.command.search.index=3423, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29138, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=291584, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32351, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 12:10:10.186, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654776540_20127', total_run_time=22.43, event_count=0, result_count=0, available_count=0, scan_count=4833655, drop_count=0, exec_time=1654776545, api_et=1654772340.000000000, api_lt=1654775940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654772340.000000000, search_lt=1654775940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3104", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_69f5e062e3f5992a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=808, eliminated_buckets=393, considered_events=4833655, total_slices=1091744, decompressed_slices=229340, duration.command.search.index=1949, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35875, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=76, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:10:10.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776480_20119', total_run_time=13.14, event_count=0, result_count=0, available_count=0, scan_count=22198888, drop_count=0, exec_time=1654776529, api_et=1654762080.000000000, api_lt=1654776480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762080.000000000, search_lt=1654776480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22198888, total_slices=1011808, decompressed_slices=375363, duration.command.search.index=8392, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56602, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11636631, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:10:09.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776540_20135', total_run_time=13.19, event_count=0, result_count=0, available_count=0, scan_count=22201552, drop_count=0, exec_time=1654776589, api_et=1654762140.000000000, api_lt=1654776540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762140.000000000, search_lt=1654776540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22201552, total_slices=1013365, decompressed_slices=375235, duration.command.search.index=8021, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55487, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11641468, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:07:50.196, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654776420_20097', total_run_time=4.92, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654776446, api_et=1654772820.000000000, api_lt=1654776420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654772820.000000000, search_lt=1654776448.553795000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_152d0fc300415e01", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=203, considered_events=1, total_slices=3, decompressed_slices=1, duration.command.search.index=778, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=124, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 12:07:20.388, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776360_20082', total_run_time=14.80, event_count=0, result_count=0, available_count=0, scan_count=22191872, drop_count=0, exec_time=1654776409, api_et=1654761960.000000000, api_lt=1654776360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761960.000000000, search_lt=1654776360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2912", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22191872, total_slices=1008347, decompressed_slices=375360, duration.command.search.index=8481, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56672, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11627293, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:06:20.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776300_20068', total_run_time=23.41, event_count=0, result_count=0, available_count=0, scan_count=22186989, drop_count=0, exec_time=1654776350, api_et=1654761900.000000000, api_lt=1654776300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761900.000000000, search_lt=1654776300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3303", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22186989, total_slices=1006810, decompressed_slices=375357, duration.command.search.index=8676, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62671, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11623129, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:05:20.036, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776240_20050', total_run_time=26.74, event_count=0, result_count=0, available_count=0, scan_count=22182489, drop_count=0, exec_time=1654776290, api_et=1654761840.000000000, api_lt=1654776240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761840.000000000, search_lt=1654776240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2885", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22182489, total_slices=1005000, decompressed_slices=375377, duration.command.search.index=9315, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71100, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11619845, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:04:44.142, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776060_19931', total_run_time=69.72, event_count=0, result_count=0, available_count=0, scan_count=22175456, drop_count=0, exec_time=1654776109, api_et=1654761660.000000000, api_lt=1654776060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761660.000000000, search_lt=1654776060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2551", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22175456, total_slices=1000095, decompressed_slices=375526, duration.command.search.index=15761, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110925, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11607293, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:04:43.624, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776180_20007', total_run_time=39.04, event_count=0, result_count=0, available_count=0, scan_count=22179033, drop_count=0, exec_time=1654776229, api_et=1654761780.000000000, api_lt=1654776180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761780.000000000, search_lt=1654776180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22179033, total_slices=1003265, decompressed_slices=375449, duration.command.search.index=10694, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81657, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11615403, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 12:01:42.341, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654776000_19895', total_run_time=62.92, event_count=0, result_count=101, available_count=0, scan_count=0, drop_count=0, exec_time=1654776032, api_et=1654774200.000000000, api_lt=1654776000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654774200.000000000, search_lt=1654776000.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63624", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-09-2022 12:01:11.785, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654776000_19899', total_run_time=18.21, event_count=0, result_count=0, available_count=0, scan_count=22171151, drop_count=0, exec_time=1654776049, api_et=1654761600.000000000, api_lt=1654776000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761600.000000000, search_lt=1654776000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22171151, total_slices=998262, decompressed_slices=375522, duration.command.search.index=8433, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62345, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11599177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 11:44:13.705, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654774980_19609', total_run_time=33.62, event_count=0, result_count=0, available_count=0, scan_count=3188, drop_count=0, exec_time=1654775018, api_et=1654771380.000000000, api_lt=1654774980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654771380.000000000, search_lt=1654775020.527616000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3021", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4064b95c57ee437b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3188, total_slices=807910, decompressed_slices=1055, duration.command.search.index=1130, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5071, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 11:34:31.750, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654774380_19402', total_run_time=36.84, event_count=0, result_count=0, available_count=0, scan_count=42072518, drop_count=0, exec_time=1654774405, api_et=1654770780.000000000, api_lt=1654774380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654770780.000000000, search_lt=1654774407.230249000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_df4ca00b2e3ef472", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1860, eliminated_buckets=132, considered_events=42072518, total_slices=14389244, decompressed_slices=4222956, duration.command.search.index=16648, invocations.command.search.index.bucketcache.hit=1859, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230365, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 11:16:28.826, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654773360_19062', total_run_time=6.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654773370, api_et=1654769160.000000000, api_lt=1654772760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654769760.000000000, search_lt=1654773372.323667000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3347", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_86589e8743994728", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1070, eliminated_buckets=384, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=667, invocations.command.search.index.bucketcache.hit=1070, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 11:14:58.891, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654773240_19021', total_run_time=6.74, event_count=0, result_count=0, available_count=0, scan_count=14603, drop_count=0, exec_time=1654773263, api_et=1654769640.000000000, api_lt=1654773240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654769640.000000000, search_lt=1654773265.501879000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=283, considered_events=14633, total_slices=773674, decompressed_slices=2801, duration.command.search.index=1085, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5827, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=37, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=108, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=279, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=61, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 11:11:28.690, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654773060_18955', total_run_time=4.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654773063, api_et=1654769460.000000000, api_lt=1654773060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654769460.000000000, search_lt=1654773065.507547000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2162", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3412340dfb94764c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=66, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 11:09:28.865, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654772940_18922', total_run_time=18.99, event_count=0, result_count=0, available_count=0, scan_count=4875539, drop_count=0, exec_time=1654772945, api_et=1654768740.000000000, api_lt=1654772340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654768740.000000000, search_lt=1654772340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3023", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2ba2a9d01edd748d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=807, eliminated_buckets=386, considered_events=4875539, total_slices=1125132, decompressed_slices=229504, duration.command.search.index=2040, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36117, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=103, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 11:08:48.410, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654772820_18903', total_run_time=21.51, event_count=1160, result_count=54, available_count=0, scan_count=343847, drop_count=0, exec_time=1654772880, api_et=1654769220.000000000, api_lt=1654772820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654769220.000000000, search_lt=1654772882.390966000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=202, considered_events=352186, total_slices=593040, decompressed_slices=105250, duration.command.search.index=3751, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30775, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=282175, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31000, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 11:07:58.952, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654772820_18898', total_run_time=8.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654772846, api_et=1654769220.000000000, api_lt=1654772820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654769220.000000000, search_lt=1654772847.760622000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5bb754144010c53d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=820, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:44:20.539, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654771380_18430', total_run_time=35.34, event_count=0, result_count=0, available_count=0, scan_count=4535, drop_count=0, exec_time=1654771418, api_et=1654767780.000000000, api_lt=1654771380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654767780.000000000, search_lt=1654771420.106875000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_77b8146eb0d4b8ef", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=4535, total_slices=769945, decompressed_slices=1578, duration.command.search.index=1653, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5779, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:37:19.540, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654770780_18220', total_run_time=38.51, event_count=0, result_count=0, available_count=0, scan_count=42264509, drop_count=0, exec_time=1654770805, api_et=1654767180.000000000, api_lt=1654770780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654767180.000000000, search_lt=1654770807.901534000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4126", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fa54eafacd7e364c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1881, eliminated_buckets=133, considered_events=42264509, total_slices=14681917, decompressed_slices=4246589, duration.command.search.index=14753, invocations.command.search.index.bucketcache.hit=1881, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228297, invocations.command.search.rawdata.bucketcache.hit=325, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:16:32.229, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654769760_17873', total_run_time=7.94, event_count=0, result_count=0, available_count=0, scan_count=7, drop_count=0, exec_time=1654769770, api_et=1654765560.000000000, api_lt=1654769160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654766160.000000000, search_lt=1654769772.239150000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3214", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6472fa7b7c0d01b1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1066, eliminated_buckets=383, considered_events=7, total_slices=5960, decompressed_slices=2, duration.command.search.index=678, invocations.command.search.index.bucketcache.hit=1066, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:14:32.349, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654769640_17833', total_run_time=6.29, event_count=0, result_count=0, available_count=0, scan_count=20333, drop_count=0, exec_time=1654769662, api_et=1654766040.000000000, api_lt=1654769640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654766040.000000000, search_lt=1654769664.798537000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=281, considered_events=21000, total_slices=715995, decompressed_slices=4091, duration.command.search.index=1213, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6497, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=138, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=360, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=84, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=398, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 10:11:32.133, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654769460_17766', total_run_time=4.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654769464, api_et=1654765860.000000000, api_lt=1654769460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765860.000000000, search_lt=1654769466.326904000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e4d951d742864a1e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=65, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:10:00.496, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654769220_17713', total_run_time=21.58, event_count=1150, result_count=58, available_count=0, scan_count=341394, drop_count=0, exec_time=1654769280, api_et=1654765620.000000000, api_lt=1654769220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765620.000000000, search_lt=1654769281.881863000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=347598, total_slices=702318, decompressed_slices=118580, duration.command.search.index=4660, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36971, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=277094, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=30632, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 10:09:59.919, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654769220_17708', total_run_time=9.05, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654769246, api_et=1654765620.000000000, api_lt=1654769220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765620.000000000, search_lt=1654769248.406969000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2902", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bac1998fa5c40ac2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1071, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 10:09:59.785, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654769340_17733', total_run_time=21.60, event_count=0, result_count=0, available_count=0, scan_count=5390119, drop_count=0, exec_time=1654769345, api_et=1654765140.000000000, api_lt=1654768740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654765140.000000000, search_lt=1654768740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3025", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f2fb8d14f899930e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=809, eliminated_buckets=388, considered_events=5390119, total_slices=1126916, decompressed_slices=244201, duration.command.search.index=2200, invocations.command.search.index.bucketcache.hit=806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40169, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=161, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:45:09.724, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654767780_17239', total_run_time=21.08, event_count=0, result_count=0, available_count=0, scan_count=4186, drop_count=0, exec_time=1654767818, api_et=1654764180.000000000, api_lt=1654767780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654764180.000000000, search_lt=1654767820.490197000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2979", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ff063f1b48c9366e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=4186, total_slices=699020, decompressed_slices=1424, duration.command.search.index=1133, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4982, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:36:28.018, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654767180_17032', total_run_time=173.65, event_count=0, result_count=0, available_count=0, scan_count=42102860, drop_count=0, exec_time=1654767205, api_et=1654763580.000000000, api_lt=1654767180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654763580.000000000, search_lt=1654767207.648392000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a348ddb3fc4f5c5a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1858, eliminated_buckets=137, considered_events=42102860, total_slices=14369509, decompressed_slices=4203585, duration.command.search.index=15883, invocations.command.search.index.bucketcache.hit=1858, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227178, invocations.command.search.rawdata.bucketcache.hit=290, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:16:33.968, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654766160_16676', total_run_time=8.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654766171, api_et=1654761960.000000000, api_lt=1654765560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762560.000000000, search_lt=1654766173.154420000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3280", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8aca637862bdd4ff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1064, eliminated_buckets=381, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=718, invocations.command.search.index.bucketcache.hit=1064, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:14:33.779, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654766040_16636', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=11020, drop_count=0, exec_time=1654766063, api_et=1654762440.000000000, api_lt=1654766040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762440.000000000, search_lt=1654766065.110099000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=297, considered_events=11069, total_slices=648083, decompressed_slices=2703, duration.command.search.index=1097, invocations.command.search.index.bucketcache.hit=426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5666, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=42, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=137, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=309, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=72, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=140, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 09:11:33.669, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654765860_16570', total_run_time=4.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654765865, api_et=1654762260.000000000, api_lt=1654765860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762260.000000000, search_lt=1654765867.110892000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_266d727c1cba1e9a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:09:33.932, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654765740_16535', total_run_time=17.92, event_count=0, result_count=0, available_count=0, scan_count=5171119, drop_count=0, exec_time=1654765746, api_et=1654761540.000000000, api_lt=1654765140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654761540.000000000, search_lt=1654765140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3067", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_41df1ba48bfdde76", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=807, eliminated_buckets=383, considered_events=5171119, total_slices=1135763, decompressed_slices=229513, duration.command.search.index=2045, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36255, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=171, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:08:33.692, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654765620_16522', total_run_time=14.63, event_count=1539, result_count=56, available_count=0, scan_count=345777, drop_count=0, exec_time=1654765684, api_et=1654762020.000000000, api_lt=1654765620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762020.000000000, search_lt=1654765686.451802000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3003", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=201, considered_events=349303, total_slices=811226, decompressed_slices=219040, duration.command.search.index=4491, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41600, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=286268, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=28116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 09:07:33.772, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654765620_16511', total_run_time=5.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654765646, api_et=1654762020.000000000, api_lt=1654765620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654762020.000000000, search_lt=1654765648.006307000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e95493fb846ec4e8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1248, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 09:00:33.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654765140_16319', total_run_time=14.22, event_count=0, result_count=0, available_count=0, scan_count=21980386, drop_count=0, exec_time=1654765190, api_et=1654750740.000000000, api_lt=1654765140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750740.000000000, search_lt=1654765140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21980386, total_slices=1061255, decompressed_slices=383782, duration.command.search.index=7885, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60380, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11385139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:59:03.666, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654765080_16306', total_run_time=12.95, event_count=0, result_count=0, available_count=0, scan_count=21971724, drop_count=0, exec_time=1654765129, api_et=1654750680.000000000, api_lt=1654765080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750680.000000000, search_lt=1654765080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21971724, total_slices=1059333, decompressed_slices=383747, duration.command.search.index=8292, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58411, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11382239, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:58:33.794, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654765020_16290', total_run_time=15.67, event_count=0, result_count=0, available_count=0, scan_count=21970045, drop_count=0, exec_time=1654765070, api_et=1654750620.000000000, api_lt=1654765020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750620.000000000, search_lt=1654765020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21970045, total_slices=1057655, decompressed_slices=383731, duration.command.search.index=8277, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58461, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11381221, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:57:29.992, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764900_16261', total_run_time=14.53, event_count=0, result_count=0, available_count=0, scan_count=21967190, drop_count=0, exec_time=1654764949, api_et=1654750500.000000000, api_lt=1654764900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750500.000000000, search_lt=1654764900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3175", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21967190, total_slices=1054154, decompressed_slices=383566, duration.command.search.index=7985, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57871, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11380201, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:57:29.941, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764960_16272', total_run_time=12.28, event_count=0, result_count=0, available_count=0, scan_count=21969465, drop_count=0, exec_time=1654765009, api_et=1654750560.000000000, api_lt=1654764960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750560.000000000, search_lt=1654764960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21969465, total_slices=1055880, decompressed_slices=383652, duration.command.search.index=7849, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55281, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11381249, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:55:20.509, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764840_16245', total_run_time=16.14, event_count=0, result_count=0, available_count=0, scan_count=21965407, drop_count=0, exec_time=1654764890, api_et=1654750440.000000000, api_lt=1654764840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750440.000000000, search_lt=1654764840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21965407, total_slices=1052396, decompressed_slices=383481, duration.command.search.index=7818, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55109, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378507, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:54:20.617, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764780_16228', total_run_time=12.63, event_count=0, result_count=0, available_count=0, scan_count=21961665, drop_count=0, exec_time=1654764830, api_et=1654750380.000000000, api_lt=1654764780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750380.000000000, search_lt=1654764780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21961665, total_slices=1050497, decompressed_slices=383445, duration.command.search.index=8167, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53703, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11377703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:53:20.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764720_16204', total_run_time=15.75, event_count=0, result_count=0, available_count=0, scan_count=21961265, drop_count=0, exec_time=1654764769, api_et=1654750320.000000000, api_lt=1654764720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750320.000000000, search_lt=1654764720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=21961265, total_slices=1048744, decompressed_slices=383513, duration.command.search.index=8650, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58322, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11379208, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:52:09.948, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764660_16187', total_run_time=13.77, event_count=0, result_count=0, available_count=0, scan_count=21962501, drop_count=0, exec_time=1654764709, api_et=1654750260.000000000, api_lt=1654764660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750260.000000000, search_lt=1654764660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21962501, total_slices=1073386, decompressed_slices=383524, duration.command.search.index=8207, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56827, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11380135, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:48.286, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764360_16079', total_run_time=12.57, event_count=0, result_count=0, available_count=0, scan_count=21956208, drop_count=0, exec_time=1654764410, api_et=1654749960.000000000, api_lt=1654764360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749960.000000000, search_lt=1654764360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21956208, total_slices=1090765, decompressed_slices=383433, duration.command.search.index=7950, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53116, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11379767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:47.759, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764540_16140', total_run_time=14.72, event_count=0, result_count=0, available_count=0, scan_count=21959263, drop_count=0, exec_time=1654764589, api_et=1654750140.000000000, api_lt=1654764540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750140.000000000, search_lt=1654764540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2889", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21959263, total_slices=1096018, decompressed_slices=383503, duration.command.search.index=8033, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56336, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11379410, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:47.658, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764300_16061', total_run_time=13.92, event_count=0, result_count=0, available_count=0, scan_count=21954724, drop_count=0, exec_time=1654764349, api_et=1654749900.000000000, api_lt=1654764300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749900.000000000, search_lt=1654764300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2809", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21954724, total_slices=1089048, decompressed_slices=383479, duration.command.search.index=7689, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57022, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378443, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:47.060, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764240_16039', total_run_time=12.85, event_count=0, result_count=0, available_count=0, scan_count=21951529, drop_count=0, exec_time=1654764290, api_et=1654749840.000000000, api_lt=1654764240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749840.000000000, search_lt=1654764240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21951529, total_slices=1087258, decompressed_slices=383459, duration.command.search.index=7830, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56007, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11376897, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:44.969, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764600_16162', total_run_time=14.68, event_count=0, result_count=0, available_count=0, scan_count=21961819, drop_count=0, exec_time=1654764649, api_et=1654750200.000000000, api_lt=1654764600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750200.000000000, search_lt=1654764600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=21961819, total_slices=1071643, decompressed_slices=383504, duration.command.search.index=8129, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56051, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11379674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:44.169, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764420_16101', total_run_time=13.78, event_count=0, result_count=0, available_count=0, scan_count=21956210, drop_count=0, exec_time=1654764469, api_et=1654750020.000000000, api_lt=1654764420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750020.000000000, search_lt=1654764420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21956210, total_slices=1092507, decompressed_slices=383486, duration.command.search.index=7944, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54996, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378624, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:51:43.928, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764480_16117', total_run_time=13.44, event_count=0, result_count=0, available_count=0, scan_count=21956719, drop_count=0, exec_time=1654764529, api_et=1654750080.000000000, api_lt=1654764480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750080.000000000, search_lt=1654764480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21956719, total_slices=1094232, decompressed_slices=383481, duration.command.search.index=7977, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55924, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378413, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:44:13.557, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764180_16018', total_run_time=13.08, event_count=0, result_count=0, available_count=0, scan_count=21949019, drop_count=0, exec_time=1654764229, api_et=1654749780.000000000, api_lt=1654764180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749780.000000000, search_lt=1654764180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21949019, total_slices=1085552, decompressed_slices=383455, duration.command.search.index=7627, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57452, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:44:13.197, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654764180_16015', total_run_time=21.27, event_count=0, result_count=0, available_count=0, scan_count=3515, drop_count=0, exec_time=1654764218, api_et=1654760580.000000000, api_lt=1654764180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654760580.000000000, search_lt=1654764220.188068000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2917", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1837dc5467dddd25", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=3515, total_slices=594170, decompressed_slices=1283, duration.command.search.index=993, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4675, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:43:12.459, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764120_15988', total_run_time=14.70, event_count=0, result_count=0, available_count=0, scan_count=21944694, drop_count=0, exec_time=1654764170, api_et=1654749720.000000000, api_lt=1654764120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749720.000000000, search_lt=1654764120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2674", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21944694, total_slices=1083671, decompressed_slices=383420, duration.command.search.index=7786, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57964, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375513, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:43.013, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763820_15888', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=21929915, drop_count=0, exec_time=1654763870, api_et=1654749420.000000000, api_lt=1654763820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749420.000000000, search_lt=1654763820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21929915, total_slices=1100716, decompressed_slices=383312, duration.command.search.index=7840, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55555, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375492, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:42.297, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764000_15940', total_run_time=14.10, event_count=0, result_count=0, available_count=0, scan_count=21941050, drop_count=0, exec_time=1654764049, api_et=1654749600.000000000, api_lt=1654764000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749600.000000000, search_lt=1654764000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2946", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21941050, total_slices=1106271, decompressed_slices=383333, duration.command.search.index=7764, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56759, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375649, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:41.577, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763760_15873', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=21929657, drop_count=0, exec_time=1654763810, api_et=1654749360.000000000, api_lt=1654763760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749360.000000000, search_lt=1654763760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21929657, total_slices=1099181, decompressed_slices=383336, duration.command.search.index=7770, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56454, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:41.506, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763940_15918', total_run_time=13.62, event_count=0, result_count=0, available_count=0, scan_count=21935305, drop_count=0, exec_time=1654763990, api_et=1654749540.000000000, api_lt=1654763940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749540.000000000, search_lt=1654763940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21935305, total_slices=1104461, decompressed_slices=383353, duration.command.search.index=7640, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55024, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11372459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:40.445, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763880_15901', total_run_time=14.36, event_count=0, result_count=0, available_count=0, scan_count=21931163, drop_count=0, exec_time=1654763929, api_et=1654749480.000000000, api_lt=1654763880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749480.000000000, search_lt=1654763880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3021", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21931163, total_slices=1102572, decompressed_slices=383267, duration.command.search.index=8072, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54461, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11371064, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:40.431, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763700_15863', total_run_time=13.50, event_count=0, result_count=0, available_count=0, scan_count=21926775, drop_count=0, exec_time=1654763750, api_et=1654749300.000000000, api_lt=1654763700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749300.000000000, search_lt=1654763700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=21926775, total_slices=1097397, decompressed_slices=383294, duration.command.search.index=7694, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55823, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378187, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:42:39.650, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654764060_15965', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=21942202, drop_count=0, exec_time=1654764109, api_et=1654749660.000000000, api_lt=1654764060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749660.000000000, search_lt=1654764060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=21942202, total_slices=1081978, decompressed_slices=383473, duration.command.search.index=7872, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56699, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375829, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:35:20.046, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763640_15842', total_run_time=14.71, event_count=0, result_count=0, available_count=0, scan_count=21920907, drop_count=0, exec_time=1654763690, api_et=1654749240.000000000, api_lt=1654763640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749240.000000000, search_lt=1654763640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=21920907, total_slices=1122061, decompressed_slices=383213, duration.command.search.index=7975, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56327, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11377766, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:34:19.860, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763580_15806', total_run_time=16.89, event_count=0, result_count=0, available_count=0, scan_count=21917901, drop_count=0, exec_time=1654763629, api_et=1654749180.000000000, api_lt=1654763580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749180.000000000, search_lt=1654763580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=21917901, total_slices=1146627, decompressed_slices=383119, duration.command.search.index=8994, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63620, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11377583, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:34:19.535, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654763580_15794', total_run_time=37.18, event_count=0, result_count=0, available_count=0, scan_count=42034875, drop_count=0, exec_time=1654763606, api_et=1654759980.000000000, api_lt=1654763580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654759980.000000000, search_lt=1654763608.076637000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3400", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b8bb8174ebd1130", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1870, eliminated_buckets=137, considered_events=42034875, total_slices=14399285, decompressed_slices=4173118, duration.command.search.index=14728, invocations.command.search.index.bucketcache.hit=1870, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229092, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:33:19.737, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763520_15770', total_run_time=17.85, event_count=0, result_count=0, available_count=0, scan_count=21911493, drop_count=0, exec_time=1654763570, api_et=1654749120.000000000, api_lt=1654763520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749120.000000000, search_lt=1654763520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=0, considered_events=21911493, total_slices=1144834, decompressed_slices=383081, duration.command.search.index=8976, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66212, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11376437, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:32:19.598, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763460_15740', total_run_time=17.18, event_count=0, result_count=0, available_count=0, scan_count=21913781, drop_count=0, exec_time=1654763509, api_et=1654749060.000000000, api_lt=1654763460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749060.000000000, search_lt=1654763460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=21913781, total_slices=1169303, decompressed_slices=383098, duration.command.search.index=9356, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69915, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:31:19.587, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763400_15712', total_run_time=22.43, event_count=0, result_count=0, available_count=0, scan_count=21915873, drop_count=0, exec_time=1654763449, api_et=1654749000.000000000, api_lt=1654763400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749000.000000000, search_lt=1654763400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3203", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=21915873, total_slices=1193792, decompressed_slices=383089, duration.command.search.index=10496, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77372, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378687, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:30:19.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763340_15684', total_run_time=15.48, event_count=0, result_count=0, available_count=0, scan_count=21915103, drop_count=0, exec_time=1654763390, api_et=1654748940.000000000, api_lt=1654763340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748940.000000000, search_lt=1654763340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=21915103, total_slices=1191929, decompressed_slices=382946, duration.command.search.index=7867, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57359, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11379996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:29:19.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763280_15670', total_run_time=12.87, event_count=0, result_count=0, available_count=0, scan_count=21913839, drop_count=0, exec_time=1654763330, api_et=1654748880.000000000, api_lt=1654763280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748880.000000000, search_lt=1654763280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=21913839, total_slices=1190159, decompressed_slices=382890, duration.command.search.index=7817, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56059, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11380152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:28:19.468, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763220_15656', total_run_time=13.72, event_count=0, result_count=0, available_count=0, scan_count=21913387, drop_count=0, exec_time=1654763269, api_et=1654748820.000000000, api_lt=1654763220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748820.000000000, search_lt=1654763220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=21913387, total_slices=1214908, decompressed_slices=382939, duration.command.search.index=7725, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56510, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11383198, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:27:19.561, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763160_15638', total_run_time=12.56, event_count=0, result_count=0, available_count=0, scan_count=21915888, drop_count=0, exec_time=1654763209, api_et=1654748760.000000000, api_lt=1654763160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748760.000000000, search_lt=1654763160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2576", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21915888, total_slices=1213220, decompressed_slices=382964, duration.command.search.index=7747, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57015, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11384935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:26:19.462, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763100_15622', total_run_time=16.05, event_count=0, result_count=0, available_count=0, scan_count=21917204, drop_count=0, exec_time=1654763149, api_et=1654748700.000000000, api_lt=1654763100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748700.000000000, search_lt=1654763100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21917204, total_slices=1211571, decompressed_slices=383006, duration.command.search.index=8559, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62726, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11386759, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:25:19.602, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762980_15590', total_run_time=13.99, event_count=0, result_count=0, available_count=0, scan_count=21909178, drop_count=0, exec_time=1654763029, api_et=1654748580.000000000, api_lt=1654762980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748580.000000000, search_lt=1654762980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21909178, total_slices=1234022, decompressed_slices=382883, duration.command.search.index=8345, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55692, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11385472, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:25:18.954, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654763040_15609', total_run_time=14.37, event_count=0, result_count=0, available_count=0, scan_count=21913194, drop_count=0, exec_time=1654763089, api_et=1654748640.000000000, api_lt=1654763040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748640.000000000, search_lt=1654763040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2619", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21913194, total_slices=1209767, decompressed_slices=382959, duration.command.search.index=7925, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54516, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11386507, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:23:05.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762920_15557', total_run_time=14.74, event_count=0, result_count=0, available_count=0, scan_count=21909613, drop_count=0, exec_time=1654762969, api_et=1654748520.000000000, api_lt=1654762920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748520.000000000, search_lt=1654762920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21909613, total_slices=1232229, decompressed_slices=382999, duration.command.search.index=8168, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58248, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11386877, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:22:05.703, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762860_15541', total_run_time=12.78, event_count=0, result_count=0, available_count=0, scan_count=21911555, drop_count=0, exec_time=1654762909, api_et=1654748460.000000000, api_lt=1654762860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748460.000000000, search_lt=1654762860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21911555, total_slices=1230573, decompressed_slices=383093, duration.command.search.index=8411, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55059, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11386281, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:26.694, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654762800_15514', total_run_time=14.96, event_count=11388115, result_count=15, available_count=0, scan_count=21917877, drop_count=0, exec_time=1654762857, api_et=1654748400.000000000, api_lt=1654762800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748400.000000000, search_lt=1654762800.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21917877, total_slices=1229144, decompressed_slices=383184, duration.command.search.index=8457, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57170, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11388115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:26.544, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654762560_15410', total_run_time=11.06, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654762570, api_et=1654758360.000000000, api_lt=1654761960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654758960.000000000, search_lt=1654762572.764112000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3699", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_91bae0144be8c76b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1064, eliminated_buckets=381, considered_events=1, total_slices=4277, decompressed_slices=1, duration.command.search.index=721, invocations.command.search.index.bucketcache.hit=1064, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=125, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:21:26.487, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762620_15441', total_run_time=13.81, event_count=0, result_count=0, available_count=0, scan_count=21914746, drop_count=0, exec_time=1654762669, api_et=1654748220.000000000, api_lt=1654762620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748220.000000000, search_lt=1654762620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21914746, total_slices=1223662, decompressed_slices=383141, duration.command.search.index=7902, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56955, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11387654, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:26.443, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762740_15487', total_run_time=13.10, event_count=0, result_count=0, available_count=0, scan_count=21918239, drop_count=0, exec_time=1654762789, api_et=1654748340.000000000, api_lt=1654762740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748340.000000000, search_lt=1654762740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21918239, total_slices=1227145, decompressed_slices=383182, duration.command.search.index=7769, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55985, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11387614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:26.409, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762680_15461', total_run_time=15.20, event_count=0, result_count=0, available_count=0, scan_count=21916741, drop_count=0, exec_time=1654762729, api_et=1654748280.000000000, api_lt=1654762680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748280.000000000, search_lt=1654762680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21916741, total_slices=1225453, decompressed_slices=383059, duration.command.search.index=8148, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59068, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11386729, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:25.316, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762800_15511', total_run_time=14.04, event_count=0, result_count=0, available_count=0, scan_count=21917878, drop_count=0, exec_time=1654762850, api_et=1654748400.000000000, api_lt=1654762800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748400.000000000, search_lt=1654762800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21917878, total_slices=1228915, decompressed_slices=383182, duration.command.search.index=8384, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57679, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11388115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:21:24.713, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762560_15416', total_run_time=12.91, event_count=0, result_count=0, available_count=0, scan_count=21918707, drop_count=0, exec_time=1654762609, api_et=1654748160.000000000, api_lt=1654762560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748160.000000000, search_lt=1654762560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21918707, total_slices=1221985, decompressed_slices=383122, duration.command.search.index=7764, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56663, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11389324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:16:05.443, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762500_15399', total_run_time=13.24, event_count=0, result_count=0, available_count=0, scan_count=21920128, drop_count=0, exec_time=1654762549, api_et=1654748100.000000000, api_lt=1654762500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748100.000000000, search_lt=1654762500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21920128, total_slices=1220322, decompressed_slices=383117, duration.command.search.index=7874, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56214, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11391358, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:15:05.579, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762440_15380', total_run_time=13.20, event_count=0, result_count=0, available_count=0, scan_count=21917206, drop_count=0, exec_time=1654762489, api_et=1654748040.000000000, api_lt=1654762440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748040.000000000, search_lt=1654762440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21917206, total_slices=1218488, decompressed_slices=382977, duration.command.search.index=7612, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54513, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11391402, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:14:36.495, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654762440_15367', total_run_time=5.35, event_count=0, result_count=0, available_count=0, scan_count=11800, drop_count=0, exec_time=1654762463, api_et=1654758840.000000000, api_lt=1654762440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654758840.000000000, search_lt=1654762464.969457000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=282, considered_events=11811, total_slices=573946, decompressed_slices=2850, duration.command.search.index=923, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5451, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=43, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=109, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=300, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=70, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 08:14:08.176, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762380_15357', total_run_time=12.23, event_count=0, result_count=0, available_count=0, scan_count=21915277, drop_count=0, exec_time=1654762429, api_et=1654747980.000000000, api_lt=1654762380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747980.000000000, search_lt=1654762380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21915277, total_slices=1216736, decompressed_slices=382949, duration.command.search.index=7517, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55194, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11390867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:13:05.990, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762320_15329', total_run_time=13.96, event_count=0, result_count=0, available_count=0, scan_count=21913417, drop_count=0, exec_time=1654762369, api_et=1654747920.000000000, api_lt=1654762320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747920.000000000, search_lt=1654762320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3086", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21913417, total_slices=1215035, decompressed_slices=383015, duration.command.search.index=7334, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57965, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11391183, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:12:05.613, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762260_15310', total_run_time=12.97, event_count=0, result_count=0, available_count=0, scan_count=21915679, drop_count=0, exec_time=1654762308, api_et=1654747860.000000000, api_lt=1654762260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747860.000000000, search_lt=1654762260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3198", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21915679, total_slices=1213358, decompressed_slices=382945, duration.command.search.index=7908, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55234, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11393160, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:11:47.047, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654762260_15292', total_run_time=5.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654762264, api_et=1654758660.000000000, api_lt=1654762260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654758660.000000000, search_lt=1654762266.104754000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2317", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3ef09488d0dd9507", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:11:07.313, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762200_15285', total_run_time=13.98, event_count=0, result_count=0, available_count=0, scan_count=21918164, drop_count=0, exec_time=1654762250, api_et=1654747800.000000000, api_lt=1654762200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747800.000000000, search_lt=1654762200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2582", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21918164, total_slices=1211679, decompressed_slices=382908, duration.command.search.index=7902, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56225, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:10:06.149, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762140_15266', total_run_time=14.00, event_count=0, result_count=0, available_count=0, scan_count=21914352, drop_count=0, exec_time=1654762189, api_et=1654747740.000000000, api_lt=1654762140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747740.000000000, search_lt=1654762140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21914352, total_slices=1235724, decompressed_slices=382854, duration.command.search.index=7624, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54743, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:09:51.252, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654762140_15258', total_run_time=18.74, event_count=0, result_count=0, available_count=0, scan_count=5269642, drop_count=0, exec_time=1654762145, api_et=1654757940.000000000, api_lt=1654761540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654757940.000000000, search_lt=1654761540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2983", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2aa1d3d4998d5952", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=813, eliminated_buckets=388, considered_events=5269642, total_slices=1081802, decompressed_slices=235166, duration.command.search.index=2080, invocations.command.search.index.bucketcache.hit=808, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36687, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=198, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:09:22.460, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762080_15250', total_run_time=12.67, event_count=0, result_count=0, available_count=0, scan_count=21912136, drop_count=0, exec_time=1654762129, api_et=1654747680.000000000, api_lt=1654762080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747680.000000000, search_lt=1654762080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21912136, total_slices=1233861, decompressed_slices=382806, duration.command.search.index=8024, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53463, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395077, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:09:21.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654762020_15234', total_run_time=13.07, event_count=0, result_count=0, available_count=0, scan_count=21907286, drop_count=0, exec_time=1654762069, api_et=1654747620.000000000, api_lt=1654762020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747620.000000000, search_lt=1654762020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21907286, total_slices=1231769, decompressed_slices=382823, duration.command.search.index=8090, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55062, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395914, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:09:21.266, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761900_15198', total_run_time=14.04, event_count=0, result_count=0, available_count=0, scan_count=21910030, drop_count=0, exec_time=1654761950, api_et=1654747500.000000000, api_lt=1654761900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747500.000000000, search_lt=1654761900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2556", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21910030, total_slices=1228832, decompressed_slices=382921, duration.command.search.index=8127, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58500, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11398006, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:09:20.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761960_15212', total_run_time=14.01, event_count=0, result_count=0, available_count=0, scan_count=21907514, drop_count=0, exec_time=1654762010, api_et=1654747560.000000000, api_lt=1654761960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747560.000000000, search_lt=1654761960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=21907514, total_slices=1230536, decompressed_slices=382931, duration.command.search.index=8323, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57587, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11397418, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:09:19.408, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654762020_15229', total_run_time=6.02, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654762046, api_et=1654758420.000000000, api_lt=1654762020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654758420.000000000, search_lt=1654762048.291864000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2874", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1b6a51d5a9bbecd3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=201, considered_events=1, total_slices=3971, decompressed_slices=1, duration.command.search.index=715, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 08:09:19.065, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654762020_15237', total_run_time=20.58, event_count=1257, result_count=56, available_count=0, scan_count=380297, drop_count=0, exec_time=1654762080, api_et=1654758420.000000000, api_lt=1654762020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654758420.000000000, search_lt=1654762082.241561000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=201, considered_events=385146, total_slices=537074, decompressed_slices=112809, duration.command.search.index=3372, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29471, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=306722, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35099, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 08:05:16.187, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761840_15181', total_run_time=14.77, event_count=0, result_count=0, available_count=0, scan_count=21907918, drop_count=0, exec_time=1654761890, api_et=1654747440.000000000, api_lt=1654761840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747440.000000000, search_lt=1654761840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=21907918, total_slices=1227167, decompressed_slices=382903, duration.command.search.index=7682, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60506, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11396646, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:04:16.787, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761780_15139', total_run_time=16.95, event_count=0, result_count=0, available_count=0, scan_count=21903772, drop_count=0, exec_time=1654761829, api_et=1654747380.000000000, api_lt=1654761780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747380.000000000, search_lt=1654761780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2591", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=21903772, total_slices=1225297, decompressed_slices=382839, duration.command.search.index=8915, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67517, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11394582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:03:15.808, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761720_15092', total_run_time=14.30, event_count=0, result_count=0, available_count=0, scan_count=21899195, drop_count=0, exec_time=1654761769, api_et=1654747320.000000000, api_lt=1654761720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747320.000000000, search_lt=1654761720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2625", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=21899195, total_slices=1223467, decompressed_slices=382788, duration.command.search.index=8563, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63208, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11393983, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:02:15.821, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761660_15060', total_run_time=17.35, event_count=0, result_count=0, available_count=0, scan_count=21898544, drop_count=0, exec_time=1654761708, api_et=1654747260.000000000, api_lt=1654761660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747260.000000000, search_lt=1654761660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2577", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=21898544, total_slices=1221766, decompressed_slices=382741, duration.command.search.index=9248, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78783, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 08:01:16.135, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654761600_15031', total_run_time=24.27, event_count=0, result_count=0, available_count=0, scan_count=21899670, drop_count=0, exec_time=1654761649, api_et=1654747200.000000000, api_lt=1654761600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747200.000000000, search_lt=1654761600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=21899670, total_slices=1220034, decompressed_slices=382675, duration.command.search.index=9695, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76624, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11395961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 07:44:08.765, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654760580_14745', total_run_time=21.13, event_count=0, result_count=0, available_count=0, scan_count=4835, drop_count=0, exec_time=1654760618, api_et=1654756980.000000000, api_lt=1654760580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654756980.000000000, search_lt=1654760620.972064000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3102", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b85e953552877e0b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=4835, total_slices=616580, decompressed_slices=1697, duration.command.search.index=1030, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4913, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:34:08.580, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654759980_14540', total_run_time=37.04, event_count=0, result_count=0, available_count=0, scan_count=41975568, drop_count=0, exec_time=1654760005, api_et=1654756380.000000000, api_lt=1654759980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654756380.000000000, search_lt=1654760007.535701000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ac250cf6c3cce663", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1848, eliminated_buckets=137, considered_events=41975568, total_slices=14097751, decompressed_slices=4152083, duration.command.search.index=14426, invocations.command.search.index.bucketcache.hit=1847, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=225339, invocations.command.search.rawdata.bucketcache.hit=280, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:17:28.637, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654758960_14202', total_run_time=9.15, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654758970, api_et=1654754760.000000000, api_lt=1654758360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654755360.000000000, search_lt=1654758972.085934000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3230", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e7a7bec690f94715", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1067, eliminated_buckets=383, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=813, invocations.command.search.index.bucketcache.hit=1067, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:14:41.446, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654758840_14162', total_run_time=5.76, event_count=0, result_count=0, available_count=0, scan_count=13571, drop_count=0, exec_time=1654758863, api_et=1654755240.000000000, api_lt=1654758840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654755240.000000000, search_lt=1654758865.127536000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=287, considered_events=13571, total_slices=510292, decompressed_slices=2824, duration.command.search.index=1046, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5760, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=51, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=131, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=310, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=81, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=164, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 07:11:11.337, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654758660_14096', total_run_time=4.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654758664, api_et=1654755060.000000000, api_lt=1654758660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654755060.000000000, search_lt=1654758665.921348000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_65ab37f7af872c73", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=58, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:09:41.190, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654758540_14065', total_run_time=19.44, event_count=0, result_count=0, available_count=0, scan_count=5211096, drop_count=0, exec_time=1654758545, api_et=1654754340.000000000, api_lt=1654757940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654754340.000000000, search_lt=1654757940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3055", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eb24c638576c7bc6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=808, eliminated_buckets=387, considered_events=5211096, total_slices=1043922, decompressed_slices=228608, duration.command.search.index=2070, invocations.command.search.index.bucketcache.hit=808, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37680, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=184, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:08:26.217, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654758420_14042', total_run_time=5.64, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654758446, api_et=1654754820.000000000, api_lt=1654758420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654754820.000000000, search_lt=1654758448.595552000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_438720e72bb5a00b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=885, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 07:08:25.527, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654758420_14047', total_run_time=16.76, event_count=1267, result_count=57, available_count=0, scan_count=376566, drop_count=0, exec_time=1654758480, api_et=1654754820.000000000, api_lt=1654758420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654754820.000000000, search_lt=1654758482.216029000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=202, considered_events=381312, total_slices=573725, decompressed_slices=127973, duration.command.search.index=3767, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32078, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=306160, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35462, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 06:44:12.507, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654756980_13569', total_run_time=27.07, event_count=0, result_count=0, available_count=0, scan_count=4151, drop_count=0, exec_time=1654757018, api_et=1654753380.000000000, api_lt=1654756980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654753380.000000000, search_lt=1654757020.063631000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d592efdf878c2779", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=4151, total_slices=614799, decompressed_slices=1551, duration.command.search.index=1085, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4959, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 06:37:09.062, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654756380_13359', total_run_time=34.96, event_count=0, result_count=0, available_count=0, scan_count=41717090, drop_count=0, exec_time=1654756405, api_et=1654752780.000000000, api_lt=1654756380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654752780.000000000, search_lt=1654756407.039362000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5f79d4acc3aa0806", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1856, eliminated_buckets=137, considered_events=41717090, total_slices=13984051, decompressed_slices=4108965, duration.command.search.index=14189, invocations.command.search.index.bucketcache.hit=1856, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222317, invocations.command.search.rawdata.bucketcache.hit=287, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 06:16:33.761, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654755360_13007', total_run_time=10.41, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654755371, api_et=1654751160.000000000, api_lt=1654754760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654751760.000000000, search_lt=1654755373.049746000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3275", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5c6b83adbbbb8e23", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1078, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=891, invocations.command.search.index.bucketcache.hit=1078, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 06:14:33.468, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654755240_12967', total_run_time=6.83, event_count=0, result_count=0, available_count=0, scan_count=16705, drop_count=0, exec_time=1654755263, api_et=1654751640.000000000, api_lt=1654755240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654751640.000000000, search_lt=1654755265.163353000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=287, considered_events=17094, total_slices=460024, decompressed_slices=3075, duration.command.search.index=1188, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5805, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=122, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=294, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=69, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=122, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 06:11:33.586, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654755060_12900', total_run_time=5.98, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654755064, api_et=1654751460.000000000, api_lt=1654755060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654751460.000000000, search_lt=1654755067.321664000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3334", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_672c849afddd6d48", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=60, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 06:09:33.396, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654754940_12866', total_run_time=17.03, event_count=1, result_count=1, available_count=0, scan_count=5239278, drop_count=0, exec_time=1654754945, api_et=1654750740.000000000, api_lt=1654754340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654750740.000000000, search_lt=1654754340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3185", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c0761edea91d963b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=804, eliminated_buckets=386, considered_events=5239278, total_slices=1032886, decompressed_slices=232586, duration.command.search.index=2073, invocations.command.search.index.bucketcache.hit=803, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37107, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=262, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 06:08:33.458, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654754820_12845', total_run_time=21.87, event_count=1222, result_count=61, available_count=0, scan_count=349841, drop_count=0, exec_time=1654754880, api_et=1654751220.000000000, api_lt=1654754820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654751220.000000000, search_lt=1654754881.966920000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=202, considered_events=354814, total_slices=605293, decompressed_slices=108119, duration.command.search.index=3605, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30503, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=285845, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31768, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 06:08:03.666, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654754820_12840', total_run_time=8.03, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654754846, api_et=1654751220.000000000, api_lt=1654754820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654751220.000000000, search_lt=1654754848.217331000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c79150b6964bb02", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=202, considered_events=2, total_slices=3214, decompressed_slices=2, duration.command.search.index=809, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=264, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:44:27.522, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654753380_12372', total_run_time=26.55, event_count=0, result_count=0, available_count=0, scan_count=4144, drop_count=0, exec_time=1654753418, api_et=1654749780.000000000, api_lt=1654753380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749780.000000000, search_lt=1654753420.125872000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_58a3177a68570de4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=4144, total_slices=659150, decompressed_slices=1648, duration.command.search.index=1104, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5070, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:35:12.526, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654752780_12166', total_run_time=78.75, event_count=0, result_count=0, available_count=0, scan_count=41698018, drop_count=0, exec_time=1654752805, api_et=1654749180.000000000, api_lt=1654752780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654749180.000000000, search_lt=1654752807.579137000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f8cbfe35baf42307", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1861, eliminated_buckets=137, considered_events=41698018, total_slices=13954683, decompressed_slices=4084012, duration.command.search.index=15396, invocations.command.search.index.bucketcache.hit=1860, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=271010, invocations.command.search.rawdata.bucketcache.hit=296, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:20:00.888, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654751760_11828', total_run_time=8.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654751770, api_et=1654747560.000000000, api_lt=1654751160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748160.000000000, search_lt=1654751772.398619000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3186", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7cc4df1549574866", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1080, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=648, invocations.command.search.index.bucketcache.hit=1079, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:14:45.461, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654751640_11787', total_run_time=9.38, event_count=0, result_count=0, available_count=0, scan_count=15661, drop_count=0, exec_time=1654751664, api_et=1654748040.000000000, api_lt=1654751640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654748040.000000000, search_lt=1654751665.964832000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2949", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=286, considered_events=16037, total_slices=397874, decompressed_slices=3041, duration.command.search.index=1167, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6763, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=40, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=135, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=377, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=83, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=13, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=84, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 05:12:14.397, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654751460_11722', total_run_time=5.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654751465, api_et=1654747860.000000000, api_lt=1654751460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747860.000000000, search_lt=1654751466.810220000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1edae2b0a54bdd1b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:10:12.386, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654751340_11691', total_run_time=39.37, event_count=0, result_count=0, available_count=0, scan_count=5380462, drop_count=0, exec_time=1654751345, api_et=1654747140.000000000, api_lt=1654750740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747140.000000000, search_lt=1654750740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3048", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9fee91d12c7f1b6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=815, eliminated_buckets=385, considered_events=5380462, total_slices=1099546, decompressed_slices=231104, duration.command.search.index=2832, invocations.command.search.index.bucketcache.hit=811, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55635, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:08:42.074, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654751220_11672', total_run_time=29.57, event_count=1168, result_count=60, available_count=0, scan_count=354238, drop_count=0, exec_time=1654751280, api_et=1654747620.000000000, api_lt=1654751220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747620.000000000, search_lt=1654751282.600267000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2914", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=202, considered_events=362091, total_slices=637364, decompressed_slices=107990, duration.command.search.index=10531, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106608, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=285904, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32613, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 05:07:42.260, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654751220_11666', total_run_time=14.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654751246, api_et=1654747620.000000000, api_lt=1654751220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654747620.000000000, search_lt=1654751248.651313000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1c902b86b2f1ee64", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2546, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 05:00:12.292, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750740_11472', total_run_time=13.14, event_count=0, result_count=0, available_count=0, scan_count=23080919, drop_count=0, exec_time=1654750789, api_et=1654736340.000000000, api_lt=1654750740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736340.000000000, search_lt=1654750740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23080919, total_slices=1604097, decompressed_slices=398303, duration.command.search.index=7709, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59290, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11295422, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:59:12.335, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750680_11459', total_run_time=13.00, event_count=0, result_count=0, available_count=0, scan_count=23089673, drop_count=0, exec_time=1654750730, api_et=1654736280.000000000, api_lt=1654750680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736280.000000000, search_lt=1654750680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3044", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23089673, total_slices=1602416, decompressed_slices=398403, duration.command.search.index=7795, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58821, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11297125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:58:12.097, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750620_11443', total_run_time=12.74, event_count=0, result_count=0, available_count=0, scan_count=23097161, drop_count=0, exec_time=1654750670, api_et=1654736220.000000000, api_lt=1654750620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736220.000000000, search_lt=1654750620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23097161, total_slices=1600677, decompressed_slices=398517, duration.command.search.index=7675, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58668, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11298290, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:57:12.165, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750560_11426', total_run_time=12.82, event_count=0, result_count=0, available_count=0, scan_count=23103926, drop_count=0, exec_time=1654750610, api_et=1654736160.000000000, api_lt=1654750560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736160.000000000, search_lt=1654750560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2601", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23103926, total_slices=1598968, decompressed_slices=398568, duration.command.search.index=7675, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59881, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11299671, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:56:12.242, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750500_11415', total_run_time=13.79, event_count=0, result_count=0, available_count=0, scan_count=23109517, drop_count=0, exec_time=1654750549, api_et=1654736100.000000000, api_lt=1654750500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736100.000000000, search_lt=1654750500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23109517, total_slices=1597231, decompressed_slices=398715, duration.command.search.index=8183, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58829, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11300099, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:55:12.328, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750440_11400', total_run_time=13.26, event_count=0, result_count=0, available_count=0, scan_count=23116103, drop_count=0, exec_time=1654750489, api_et=1654736040.000000000, api_lt=1654750440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736040.000000000, search_lt=1654750440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=154, eliminated_buckets=0, considered_events=23116103, total_slices=1595427, decompressed_slices=398863, duration.command.search.index=8167, invocations.command.search.index.bucketcache.hit=154, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56660, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11301626, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:54:12.200, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750380_11383', total_run_time=13.11, event_count=0, result_count=0, available_count=0, scan_count=23122922, drop_count=0, exec_time=1654750429, api_et=1654735980.000000000, api_lt=1654750380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735980.000000000, search_lt=1654750380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2999", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23122922, total_slices=1593772, decompressed_slices=399059, duration.command.search.index=7832, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57533, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11301923, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:53:12.696, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750320_11360', total_run_time=13.80, event_count=0, result_count=0, available_count=0, scan_count=23130194, drop_count=0, exec_time=1654750369, api_et=1654735920.000000000, api_lt=1654750320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735920.000000000, search_lt=1654750320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23130194, total_slices=1592003, decompressed_slices=399117, duration.command.search.index=8005, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58702, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11302167, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:52:46.236, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750200_11319', total_run_time=15.64, event_count=0, result_count=0, available_count=0, scan_count=23141852, drop_count=0, exec_time=1654750249, api_et=1654735800.000000000, api_lt=1654750200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735800.000000000, search_lt=1654750200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23141852, total_slices=1588688, decompressed_slices=399231, duration.command.search.index=8373, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60397, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11302793, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:52:46.226, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750260_11343', total_run_time=12.49, event_count=0, result_count=0, available_count=0, scan_count=23138199, drop_count=0, exec_time=1654750309, api_et=1654735860.000000000, api_lt=1654750260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735860.000000000, search_lt=1654750260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2605", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23138199, total_slices=1590387, decompressed_slices=399155, duration.command.search.index=8336, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57077, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11302738, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:50:11.509, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750140_11295', total_run_time=12.71, event_count=0, result_count=0, available_count=0, scan_count=23150230, drop_count=0, exec_time=1654750190, api_et=1654735740.000000000, api_lt=1654750140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735740.000000000, search_lt=1654750140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23150230, total_slices=1586816, decompressed_slices=399374, duration.command.search.index=8118, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56407, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11303935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:49:08.010, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750020_11257', total_run_time=13.10, event_count=0, result_count=0, available_count=0, scan_count=23168408, drop_count=0, exec_time=1654750069, api_et=1654735620.000000000, api_lt=1654750020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735620.000000000, search_lt=1654750020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2717", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23168408, total_slices=1609363, decompressed_slices=399647, duration.command.search.index=8031, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59940, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11306694, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:49:06.710, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749960_11236', total_run_time=15.02, event_count=0, result_count=0, available_count=0, scan_count=23177799, drop_count=0, exec_time=1654750009, api_et=1654735560.000000000, api_lt=1654749960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735560.000000000, search_lt=1654749960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="4525", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23177799, total_slices=1607710, decompressed_slices=399833, duration.command.search.index=7851, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58810, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11306119, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:49:06.299, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654750080_11274', total_run_time=13.79, event_count=0, result_count=0, available_count=0, scan_count=23158510, drop_count=0, exec_time=1654750129, api_et=1654735680.000000000, api_lt=1654750080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735680.000000000, search_lt=1654750080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23158510, total_slices=1611003, decompressed_slices=399500, duration.command.search.index=8293, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61636, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11304988, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:49:06.105, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749900_11218', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=23185248, drop_count=0, exec_time=1654749949, api_et=1654735500.000000000, api_lt=1654749900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735500.000000000, search_lt=1654749900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=152, eliminated_buckets=0, considered_events=23185248, total_slices=1605916, decompressed_slices=399968, duration.command.search.index=7743, invocations.command.search.index.bucketcache.hit=152, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60025, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11307615, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:45:02.072, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749840_11194', total_run_time=12.92, event_count=0, result_count=0, available_count=0, scan_count=23196583, drop_count=0, exec_time=1654749889, api_et=1654735440.000000000, api_lt=1654749840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735440.000000000, search_lt=1654749840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=23196583, total_slices=1604141, decompressed_slices=400152, duration.command.search.index=8322, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59043, invocations.command.search.rawdata.bucketcache.hit=30, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11309991, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:44:55.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749780_11174', total_run_time=15.17, event_count=0, result_count=0, available_count=0, scan_count=23206296, drop_count=0, exec_time=1654749829, api_et=1654735380.000000000, api_lt=1654749780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735380.000000000, search_lt=1654749780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3058", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=23206296, total_slices=1602444, decompressed_slices=400263, duration.command.search.index=8889, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60409, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11312689, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:44:02.367, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654749780_11171', total_run_time=21.78, event_count=0, result_count=0, available_count=0, scan_count=3687, drop_count=0, exec_time=1654749818, api_et=1654746180.000000000, api_lt=1654749780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654746180.000000000, search_lt=1654749819.976137000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_400fa05a5aff6e03", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=3687, total_slices=758653, decompressed_slices=1261, duration.command.search.index=1087, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4785, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:43:32.309, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749720_11147', total_run_time=13.17, event_count=0, result_count=0, available_count=0, scan_count=23216525, drop_count=0, exec_time=1654749769, api_et=1654735320.000000000, api_lt=1654749720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735320.000000000, search_lt=1654749720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=0, considered_events=23216525, total_slices=1600643, decompressed_slices=400362, duration.command.search.index=8446, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58946, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313908, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:42:22.475, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749660_11123', total_run_time=12.96, event_count=0, result_count=0, available_count=0, scan_count=23227596, drop_count=0, exec_time=1654749709, api_et=1654735260.000000000, api_lt=1654749660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735260.000000000, search_lt=1654749660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=23227596, total_slices=1598967, decompressed_slices=400404, duration.command.search.index=8248, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56210, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314793, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:42:01.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749480_11060', total_run_time=13.05, event_count=0, result_count=0, available_count=0, scan_count=23257132, drop_count=0, exec_time=1654749529, api_et=1654735080.000000000, api_lt=1654749480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735080.000000000, search_lt=1654749480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2923", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=23257132, total_slices=1593807, decompressed_slices=400783, duration.command.search.index=8019, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57824, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11318399, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:42:01.468, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749600_11099', total_run_time=14.78, event_count=0, result_count=0, available_count=0, scan_count=23233660, drop_count=0, exec_time=1654749649, api_et=1654735200.000000000, api_lt=1654749600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735200.000000000, search_lt=1654749600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2944", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=23233660, total_slices=1597362, decompressed_slices=400564, duration.command.search.index=8011, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58581, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314449, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:42:01.459, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749540_11076', total_run_time=12.94, event_count=0, result_count=0, available_count=0, scan_count=23246890, drop_count=0, exec_time=1654749589, api_et=1654735140.000000000, api_lt=1654749540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735140.000000000, search_lt=1654749540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2617", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=151, eliminated_buckets=1, considered_events=23246890, total_slices=1595582, decompressed_slices=400665, duration.command.search.index=8068, invocations.command.search.index.bucketcache.hit=151, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58003, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11317391, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:38:22.282, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749420_11045', total_run_time=13.94, event_count=0, result_count=0, available_count=0, scan_count=23266990, drop_count=0, exec_time=1654749470, api_et=1654735020.000000000, api_lt=1654749420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735020.000000000, search_lt=1654749420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3157", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=23266990, total_slices=1592151, decompressed_slices=400995, duration.command.search.index=7831, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59647, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11316399, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:37:22.561, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749360_11030', total_run_time=15.08, event_count=0, result_count=0, available_count=0, scan_count=23278342, drop_count=0, exec_time=1654749409, api_et=1654734960.000000000, api_lt=1654749360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734960.000000000, search_lt=1654749360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3104", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=23278342, total_slices=1590359, decompressed_slices=401097, duration.command.search.index=8310, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57939, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11316254, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:26.320, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749120_10926', total_run_time=19.24, event_count=0, result_count=0, available_count=0, scan_count=23314856, drop_count=0, exec_time=1654749169, api_et=1654734720.000000000, api_lt=1654749120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734720.000000000, search_lt=1654749120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=23314856, total_slices=1583439, decompressed_slices=401754, duration.command.search.index=9617, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77556, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314870, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:24.844, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749300_11020', total_run_time=13.69, event_count=0, result_count=0, available_count=0, scan_count=23284685, drop_count=0, exec_time=1654749350, api_et=1654734900.000000000, api_lt=1654749300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734900.000000000, search_lt=1654749300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=150, eliminated_buckets=0, considered_events=23284685, total_slices=1588653, decompressed_slices=401289, duration.command.search.index=8028, invocations.command.search.index.bucketcache.hit=150, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58160, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:24.704, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749180_10962', total_run_time=20.01, event_count=0, result_count=0, available_count=0, scan_count=23302254, drop_count=0, exec_time=1654749230, api_et=1654734780.000000000, api_lt=1654749180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734780.000000000, search_lt=1654749180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=23302254, total_slices=1584790, decompressed_slices=401617, duration.command.search.index=10423, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75560, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:24.472, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749060_10897', total_run_time=20.53, event_count=0, result_count=0, available_count=0, scan_count=23323760, drop_count=0, exec_time=1654749109, api_et=1654734660.000000000, api_lt=1654749060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734660.000000000, search_lt=1654749060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3283", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23323760, total_slices=1581868, decompressed_slices=401873, duration.command.search.index=9630, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70626, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315129, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:24.146, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749240_10998', total_run_time=18.88, event_count=0, result_count=0, available_count=0, scan_count=23293272, drop_count=0, exec_time=1654749289, api_et=1654734840.000000000, api_lt=1654749240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734840.000000000, search_lt=1654749240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=149, eliminated_buckets=0, considered_events=23293272, total_slices=1586810, decompressed_slices=401330, duration.command.search.index=8870, invocations.command.search.index.bucketcache.hit=149, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61996, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315138, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:24.124, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654749000_10868', total_run_time=23.75, event_count=0, result_count=0, available_count=0, scan_count=23330439, drop_count=0, exec_time=1654749049, api_et=1654734600.000000000, api_lt=1654749000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734600.000000000, search_lt=1654749000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23330439, total_slices=1580135, decompressed_slices=402068, duration.command.search.index=11138, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86695, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314866, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:36:23.786, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654749180_10948', total_run_time=56.80, event_count=0, result_count=0, available_count=0, scan_count=41844646, drop_count=0, exec_time=1654749205, api_et=1654745580.000000000, api_lt=1654749180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654745580.000000000, search_lt=1654749207.576941000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4a76968869bb5266", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1861, eliminated_buckets=137, considered_events=41844646, total_slices=13944975, decompressed_slices=4107951, duration.command.search.index=17332, invocations.command.search.index.bucketcache.hit=1861, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=234478, invocations.command.search.rawdata.bucketcache.hit=292, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:30:10.723, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748880_10824', total_run_time=15.35, event_count=0, result_count=0, available_count=0, scan_count=23354218, drop_count=0, exec_time=1654748929, api_et=1654734480.000000000, api_lt=1654748880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734480.000000000, search_lt=1654748880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23354218, total_slices=1576415, decompressed_slices=402545, duration.command.search.index=8257, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60196, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315911, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:30:10.358, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748820_10809', total_run_time=13.68, event_count=0, result_count=0, available_count=0, scan_count=23365789, drop_count=0, exec_time=1654748870, api_et=1654734420.000000000, api_lt=1654748820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734420.000000000, search_lt=1654748820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=0, considered_events=23365789, total_slices=1601108, decompressed_slices=402648, duration.command.search.index=8492, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60779, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314653, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:30:10.004, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748700_10775', total_run_time=15.47, event_count=0, result_count=0, available_count=0, scan_count=23382744, drop_count=0, exec_time=1654748749, api_et=1654734300.000000000, api_lt=1654748700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734300.000000000, search_lt=1654748700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3128", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23382744, total_slices=1597681, decompressed_slices=402936, duration.command.search.index=8319, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61300, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314410, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:30:09.662, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748940_10837', total_run_time=15.34, event_count=0, result_count=0, available_count=0, scan_count=23341182, drop_count=0, exec_time=1654748990, api_et=1654734540.000000000, api_lt=1654748940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734540.000000000, search_lt=1654748940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2658", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23341182, total_slices=1578249, decompressed_slices=402255, duration.command.search.index=7970, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60646, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313731, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:30:09.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748760_10791', total_run_time=15.28, event_count=0, result_count=0, available_count=0, scan_count=23374732, drop_count=0, exec_time=1654748809, api_et=1654734360.000000000, api_lt=1654748760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734360.000000000, search_lt=1654748760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23374732, total_slices=1599467, decompressed_slices=402768, duration.command.search.index=8417, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60970, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:25:26.914, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748640_10761', total_run_time=16.59, event_count=0, result_count=0, available_count=0, scan_count=23398471, drop_count=0, exec_time=1654748689, api_et=1654734240.000000000, api_lt=1654748640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734240.000000000, search_lt=1654748640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23398471, total_slices=1595946, decompressed_slices=403206, duration.command.search.index=9076, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59745, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11316988, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:24:26.695, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748580_10742', total_run_time=14.08, event_count=0, result_count=0, available_count=0, scan_count=23415441, drop_count=0, exec_time=1654748629, api_et=1654734180.000000000, api_lt=1654748580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734180.000000000, search_lt=1654748580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23415441, total_slices=1594166, decompressed_slices=403510, duration.command.search.index=8658, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58605, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11320619, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:23:26.749, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748520_10710', total_run_time=17.29, event_count=0, result_count=0, available_count=0, scan_count=23429915, drop_count=0, exec_time=1654748570, api_et=1654734120.000000000, api_lt=1654748520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734120.000000000, search_lt=1654748520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23429915, total_slices=1592546, decompressed_slices=403653, duration.command.search.index=8630, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62129, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11322287, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:22:26.783, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748460_10694', total_run_time=18.46, event_count=0, result_count=0, available_count=0, scan_count=23442461, drop_count=0, exec_time=1654748509, api_et=1654734060.000000000, api_lt=1654748460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734060.000000000, search_lt=1654748460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23442461, total_slices=1590828, decompressed_slices=403648, duration.command.search.index=8601, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63198, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11324439, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:21:27.173, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748400_10665', total_run_time=19.11, event_count=0, result_count=0, available_count=0, scan_count=23448934, drop_count=0, exec_time=1654748449, api_et=1654734000.000000000, api_lt=1654748400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734000.000000000, search_lt=1654748400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23448934, total_slices=1589007, decompressed_slices=403862, duration.command.search.index=9299, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63306, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11324888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:20:26.640, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748340_10642', total_run_time=18.66, event_count=0, result_count=0, available_count=0, scan_count=23463054, drop_count=0, exec_time=1654748389, api_et=1654733940.000000000, api_lt=1654748340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733940.000000000, search_lt=1654748340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=23463054, total_slices=1587189, decompressed_slices=404102, duration.command.search.index=8574, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61619, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11326943, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:19:26.566, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748280_10616', total_run_time=17.96, event_count=0, result_count=0, available_count=0, scan_count=23480670, drop_count=0, exec_time=1654748329, api_et=1654733880.000000000, api_lt=1654748280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733880.000000000, search_lt=1654748280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=23480670, total_slices=1585497, decompressed_slices=404359, duration.command.search.index=9330, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67024, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11332014, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:18:26.411, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748220_10596', total_run_time=17.20, event_count=0, result_count=0, available_count=0, scan_count=23497154, drop_count=0, exec_time=1654748269, api_et=1654733820.000000000, api_lt=1654748220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733820.000000000, search_lt=1654748220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=23497154, total_slices=1583808, decompressed_slices=404599, duration.command.search.index=8851, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63283, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11333320, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:17:26.676, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748160_10573', total_run_time=16.65, event_count=0, result_count=0, available_count=0, scan_count=23511508, drop_count=0, exec_time=1654748209, api_et=1654733760.000000000, api_lt=1654748160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733760.000000000, search_lt=1654748160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2667", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=148, eliminated_buckets=1, considered_events=23511508, total_slices=1608567, decompressed_slices=404720, duration.command.search.index=8935, invocations.command.search.index.bucketcache.hit=148, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63537, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11335963, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:16:26.705, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748100_10555', total_run_time=16.44, event_count=0, result_count=0, available_count=0, scan_count=23522878, drop_count=0, exec_time=1654748149, api_et=1654733700.000000000, api_lt=1654748100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733700.000000000, search_lt=1654748100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23522878, total_slices=1606786, decompressed_slices=404855, duration.command.search.index=8807, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65539, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11334873, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:16:26.498, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654748160_10567', total_run_time=9.57, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654748170, api_et=1654743960.000000000, api_lt=1654747560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654744560.000000000, search_lt=1654748172.915724000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ab0cff3b29123bac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1077, eliminated_buckets=383, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=744, invocations.command.search.index.bucketcache.hit=1077, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:15:26.440, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654748040_10536', total_run_time=13.11, event_count=0, result_count=0, available_count=0, scan_count=23539071, drop_count=0, exec_time=1654748089, api_et=1654733640.000000000, api_lt=1654748040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733640.000000000, search_lt=1654748040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23539071, total_slices=1605108, decompressed_slices=405069, duration.command.search.index=7959, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58545, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11336699, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:14:56.756, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654748040_10523', total_run_time=5.23, event_count=0, result_count=0, available_count=0, scan_count=16646, drop_count=0, exec_time=1654748063, api_et=1654744440.000000000, api_lt=1654748040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654744440.000000000, search_lt=1654748065.366352000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=285, considered_events=17563, total_slices=384882, decompressed_slices=2924, duration.command.search.index=1077, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5806, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=61, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=106, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=287, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=162, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 04:14:26.549, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747980_10513', total_run_time=13.43, event_count=0, result_count=0, available_count=0, scan_count=23556069, drop_count=0, exec_time=1654748029, api_et=1654733580.000000000, api_lt=1654747980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733580.000000000, search_lt=1654747980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23556069, total_slices=1629698, decompressed_slices=405218, duration.command.search.index=8025, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59798, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11338634, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:13:27.274, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747920_10487', total_run_time=13.60, event_count=0, result_count=0, available_count=0, scan_count=23572195, drop_count=0, exec_time=1654747969, api_et=1654733520.000000000, api_lt=1654747920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733520.000000000, search_lt=1654747920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23572195, total_slices=1628056, decompressed_slices=405383, duration.command.search.index=8360, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60759, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11340033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:12:26.119, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654747860_10451', total_run_time=5.45, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654747864, api_et=1654744260.000000000, api_lt=1654747860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654744260.000000000, search_lt=1654747866.621054000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3072", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3ba8700467cb7b71", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=53, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:12:25.887, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747800_10442', total_run_time=19.25, event_count=0, result_count=0, available_count=0, scan_count=23599901, drop_count=0, exec_time=1654747849, api_et=1654733400.000000000, api_lt=1654747800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733400.000000000, search_lt=1654747800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3068", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=23599901, total_slices=1624670, decompressed_slices=405817, duration.command.search.index=9468, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65150, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11340332, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:12:25.737, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747860_10469', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=23585661, drop_count=0, exec_time=1654747909, api_et=1654733460.000000000, api_lt=1654747860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733460.000000000, search_lt=1654747860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3064", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23585661, total_slices=1626390, decompressed_slices=405558, duration.command.search.index=8497, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63559, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11340143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:10:17.730, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747740_10423', total_run_time=17.34, event_count=0, result_count=0, available_count=0, scan_count=23615728, drop_count=0, exec_time=1654747789, api_et=1654733340.000000000, api_lt=1654747740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733340.000000000, search_lt=1654747740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=23615728, total_slices=1623026, decompressed_slices=405954, duration.command.search.index=8585, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64307, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11341849, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:09:47.763, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654747740_10415', total_run_time=19.32, event_count=0, result_count=0, available_count=0, scan_count=5636061, drop_count=0, exec_time=1654747745, api_et=1654743540.000000000, api_lt=1654747140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654743540.000000000, search_lt=1654747140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_553384fd104a2096", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=808, eliminated_buckets=382, considered_events=5636061, total_slices=1154541, decompressed_slices=238305, duration.command.search.index=2464, invocations.command.search.index.bucketcache.hit=806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40022, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:09:17.643, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747680_10407', total_run_time=16.48, event_count=0, result_count=0, available_count=0, scan_count=23630945, drop_count=0, exec_time=1654747729, api_et=1654733280.000000000, api_lt=1654747680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733280.000000000, search_lt=1654747680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=23630945, total_slices=1621256, decompressed_slices=406155, duration.command.search.index=8986, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62577, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11343205, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:08:47.720, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654747620_10399', total_run_time=15.93, event_count=1186, result_count=58, available_count=0, scan_count=359709, drop_count=0, exec_time=1654747684, api_et=1654744020.000000000, api_lt=1654747620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654744020.000000000, search_lt=1654747686.199512000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=204, considered_events=367777, total_slices=637940, decompressed_slices=111531, duration.command.search.index=3189, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30004, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=290644, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33672, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 04:08:17.743, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747620_10390', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=23652476, drop_count=0, exec_time=1654747669, api_et=1654733220.000000000, api_lt=1654747620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733220.000000000, search_lt=1654747620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=23652476, total_slices=1619528, decompressed_slices=406317, duration.command.search.index=8792, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62282, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11344024, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:07:47.783, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654747620_10385', total_run_time=6.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654747646, api_et=1654744020.000000000, api_lt=1654747620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654744020.000000000, search_lt=1654747648.409472000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9b7c0489057b460", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=889, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 04:07:17.756, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747560_10370', total_run_time=15.25, event_count=0, result_count=0, available_count=0, scan_count=23669376, drop_count=0, exec_time=1654747610, api_et=1654733160.000000000, api_lt=1654747560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733160.000000000, search_lt=1654747560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23669376, total_slices=1643866, decompressed_slices=406513, duration.command.search.index=8632, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61082, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11345231, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:06:17.714, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747500_10355', total_run_time=18.40, event_count=0, result_count=0, available_count=0, scan_count=23681970, drop_count=0, exec_time=1654747550, api_et=1654733100.000000000, api_lt=1654747500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733100.000000000, search_lt=1654747500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23681970, total_slices=1641896, decompressed_slices=406747, duration.command.search.index=8600, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66479, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11346293, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:05:18.064, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747440_10337', total_run_time=25.65, event_count=0, result_count=0, available_count=0, scan_count=23701344, drop_count=0, exec_time=1654747489, api_et=1654733040.000000000, api_lt=1654747440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733040.000000000, search_lt=1654747440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23701344, total_slices=1639900, decompressed_slices=406988, duration.command.search.index=9991, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79315, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11349336, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:04:48.164, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747380_10295', total_run_time=36.72, event_count=0, result_count=0, available_count=0, scan_count=23719818, drop_count=0, exec_time=1654747429, api_et=1654732980.000000000, api_lt=1654747380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654732980.000000000, search_lt=1654747380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3031", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23719818, total_slices=1637931, decompressed_slices=407360, duration.command.search.index=10322, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86874, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11352209, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:03:47.796, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747320_10248', total_run_time=38.43, event_count=0, result_count=0, available_count=0, scan_count=23741115, drop_count=0, exec_time=1654747369, api_et=1654732920.000000000, api_lt=1654747320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654732920.000000000, search_lt=1654747320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2851", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23741115, total_slices=1636681, decompressed_slices=407625, duration.command.search.index=9657, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76064, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11355241, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:02:47.781, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747260_10217', total_run_time=35.69, event_count=0, result_count=0, available_count=0, scan_count=23759677, drop_count=0, exec_time=1654747309, api_et=1654732860.000000000, api_lt=1654747260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654732860.000000000, search_lt=1654747260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23759677, total_slices=1634960, decompressed_slices=407891, duration.command.search.index=10244, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78763, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11356951, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 04:01:17.685, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654747200_10186', total_run_time=19.34, event_count=0, result_count=0, available_count=0, scan_count=23764896, drop_count=0, exec_time=1654747249, api_et=1654732800.000000000, api_lt=1654747200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654732800.000000000, search_lt=1654747200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=23764896, total_slices=1632886, decompressed_slices=407844, duration.command.search.index=9582, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73689, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11350518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 03:44:23.189, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654746180_9887', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=4880, drop_count=0, exec_time=1654746218, api_et=1654742580.000000000, api_lt=1654746180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654742580.000000000, search_lt=1654746220.740800000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3079", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ec89b24792f210c6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=4880, total_slices=891035, decompressed_slices=1679, duration.command.search.index=1014, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4871, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 03:36:05.802, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654745580_9678', total_run_time=146.66, event_count=0, result_count=0, available_count=0, scan_count=41301300, drop_count=0, exec_time=1654745605, api_et=1654741980.000000000, api_lt=1654745580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654741980.000000000, search_lt=1654745607.180993000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_380485333c3b6f3b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1868, eliminated_buckets=137, considered_events=41301300, total_slices=14034171, decompressed_slices=4092821, duration.command.search.index=23271, invocations.command.search.index.bucketcache.hit=1868, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=284488, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 03:16:35.577, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654744560_9334', total_run_time=12.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654744571, api_et=1654740360.000000000, api_lt=1654743960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654740960.000000000, search_lt=1654744572.855133000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3210", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_49989aac5a95d7f4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1078, eliminated_buckets=383, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=690, invocations.command.search.index.bucketcache.hit=1078, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 03:15:41.686, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654744260_9226', total_run_time=7.04, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654744264, api_et=1654740660.000000000, api_lt=1654744260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654740660.000000000, search_lt=1654744266.789480000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a241731b662ef54a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=50, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 03:15:40.978, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654744440_9293', total_run_time=4.95, event_count=0, result_count=0, available_count=0, scan_count=11217, drop_count=0, exec_time=1654744463, api_et=1654740840.000000000, api_lt=1654744440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654740840.000000000, search_lt=1654744465.367668000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=282, considered_events=11217, total_slices=382623, decompressed_slices=2863, duration.command.search.index=810, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5507, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=48, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=127, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=344, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=75, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 03:10:00.042, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654744020_9173', total_run_time=16.24, event_count=1220, result_count=56, available_count=0, scan_count=375550, drop_count=0, exec_time=1654744080, api_et=1654740420.000000000, api_lt=1654744020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654740420.000000000, search_lt=1654744082.061431000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=205, considered_events=381323, total_slices=601325, decompressed_slices=107566, duration.command.search.index=3628, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29524, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=307048, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34816, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 03:09:59.670, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654744140_9192', total_run_time=22.76, event_count=0, result_count=0, available_count=0, scan_count=5128468, drop_count=0, exec_time=1654744145, api_et=1654739940.000000000, api_lt=1654743540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654739940.000000000, search_lt=1654743540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8d0f3ea46c8efc08", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=809, eliminated_buckets=387, considered_events=5128468, total_slices=1124223, decompressed_slices=229550, duration.command.search.index=2059, invocations.command.search.index.bucketcache.hit=809, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36594, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 03:09:58.789, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654744020_9168', total_run_time=6.14, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654744046, api_et=1654740420.000000000, api_lt=1654744020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654740420.000000000, search_lt=1654744048.406277000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_102ccec20958e1fa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=205, considered_events=2, total_slices=8905, decompressed_slices=1, duration.command.search.index=726, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=267, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:44:11.520, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654742580_8679', total_run_time=21.51, event_count=0, result_count=0, available_count=0, scan_count=3533, drop_count=0, exec_time=1654742618, api_et=1654738980.000000000, api_lt=1654742580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654738980.000000000, search_lt=1654742620.828421000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2984", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_39613e63ad92ca18", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3533, total_slices=903683, decompressed_slices=1064, duration.command.search.index=1142, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4829, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:34:20.356, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654741980_8469', total_run_time=37.76, event_count=0, result_count=0, available_count=0, scan_count=41424052, drop_count=0, exec_time=1654742005, api_et=1654738380.000000000, api_lt=1654741980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654738380.000000000, search_lt=1654742007.474188000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eda1ae4ddc858d53", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1866, eliminated_buckets=137, considered_events=41424052, total_slices=13834815, decompressed_slices=4087160, duration.command.search.index=15955, invocations.command.search.index.bucketcache.hit=1865, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228228, invocations.command.search.rawdata.bucketcache.hit=285, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:19:39.283, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654740960_8120', total_run_time=15.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654740971, api_et=1654736760.000000000, api_lt=1654740360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654737360.000000000, search_lt=1654740973.279762000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3404", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b234c50978063bd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1081, eliminated_buckets=386, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1015, invocations.command.search.index.bucketcache.hit=1081, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:14:32.424, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654740840_8080', total_run_time=6.13, event_count=0, result_count=0, available_count=0, scan_count=14814, drop_count=0, exec_time=1654740863, api_et=1654737240.000000000, api_lt=1654740840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654737240.000000000, search_lt=1654740865.413393000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=286, considered_events=15262, total_slices=533992, decompressed_slices=3397, duration.command.search.index=1111, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5833, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=187, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=610, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=114, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 02:11:39.414, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654740660_8014', total_run_time=5.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654740664, api_et=1654737060.000000000, api_lt=1654740660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654737060.000000000, search_lt=1654740666.963410000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3167", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_adc966edb9210060", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:09:32.422, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654740540_7982', total_run_time=19.84, event_count=0, result_count=0, available_count=0, scan_count=5463546, drop_count=0, exec_time=1654740545, api_et=1654736340.000000000, api_lt=1654739940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736340.000000000, search_lt=1654739940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a2eba847620a1c2b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=385, considered_events=5463546, total_slices=1156476, decompressed_slices=240314, duration.command.search.index=2187, invocations.command.search.index.bucketcache.hit=801, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39482, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=212, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 02:08:32.330, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654740420_7968', total_run_time=25.32, event_count=2034, result_count=98, available_count=0, scan_count=452196, drop_count=0, exec_time=1654740484, api_et=1654736820.000000000, api_lt=1654740420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736820.000000000, search_lt=1654740486.081099000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2812", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=458832, total_slices=591658, decompressed_slices=112288, duration.command.search.index=3777, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33734, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=366018, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41936, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 02:07:49.217, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654740420_7958', total_run_time=6.05, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654740446, api_et=1654736820.000000000, api_lt=1654740420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654736820.000000000, search_lt=1654740448.081467000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_51c0d385ba9e412d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=873, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:44:26.245, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654738980_7491', total_run_time=20.63, event_count=0, result_count=0, available_count=0, scan_count=2787, drop_count=0, exec_time=1654739018, api_et=1654735380.000000000, api_lt=1654738980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654735380.000000000, search_lt=1654739020.248061000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2286", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_61a63e57a1f622b7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=2787, total_slices=1025233, decompressed_slices=656, duration.command.search.index=1886, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4600, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:34:34.635, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654738380_7285', total_run_time=44.28, event_count=0, result_count=0, available_count=0, scan_count=41336228, drop_count=0, exec_time=1654738405, api_et=1654734780.000000000, api_lt=1654738380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654734780.000000000, search_lt=1654738407.183843000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ac29e17a6c733d47", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1883, eliminated_buckets=137, considered_events=41336228, total_slices=13899310, decompressed_slices=4078611, duration.command.search.index=14500, invocations.command.search.index.bucketcache.hit=1883, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=244253, invocations.command.search.rawdata.bucketcache.hit=301, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:16:33.888, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654737360_6946', total_run_time=9.22, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654737370, api_et=1654733160.000000000, api_lt=1654736760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733760.000000000, search_lt=1654737372.519358000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3366", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f7f10f8392be7c6b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1080, eliminated_buckets=387, considered_events=1, total_slices=5025, decompressed_slices=1, duration.command.search.index=801, invocations.command.search.index.bucketcache.hit=1080, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=136, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:14:34.063, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654737240_6906', total_run_time=5.69, event_count=0, result_count=0, available_count=0, scan_count=14624, drop_count=0, exec_time=1654737263, api_et=1654733640.000000000, api_lt=1654737240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733640.000000000, search_lt=1654737265.741671000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=287, considered_events=14746, total_slices=691342, decompressed_slices=3777, duration.command.search.index=1195, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5936, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=59, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=234, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=929, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=154, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=292, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 01:12:36.331, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654737060_6839', total_run_time=5.76, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654737064, api_et=1654733460.000000000, api_lt=1654737060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733460.000000000, search_lt=1654737066.026319000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_283f8c03ed1b175e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:09:56.696, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654736820_6785', total_run_time=13.24, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654736846, api_et=1654733220.000000000, api_lt=1654736820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733220.000000000, search_lt=1654736848.378316000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2914", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ff00c83687c27450", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=3, total_slices=8815, decompressed_slices=2, duration.command.search.index=950, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=406, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:09:56.071, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654736940_6808', total_run_time=21.55, event_count=0, result_count=0, available_count=0, scan_count=5291199, drop_count=0, exec_time=1654736946, api_et=1654732740.000000000, api_lt=1654736340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654732740.000000000, search_lt=1654736340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3193", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aa7b3cf9852b6580", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=820, eliminated_buckets=392, considered_events=5291199, total_slices=1218475, decompressed_slices=238399, duration.command.search.index=2370, invocations.command.search.index.bucketcache.hit=817, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37401, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=118, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 01:09:55.687, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654736820_6790', total_run_time=19.86, event_count=1923, result_count=96, available_count=0, scan_count=494614, drop_count=0, exec_time=1654736880, api_et=1654733220.000000000, api_lt=1654736820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654733220.000000000, search_lt=1654736881.980687000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=204, considered_events=503122, total_slices=554968, decompressed_slices=124019, duration.command.search.index=3720, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35364, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=401633, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41255, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 01:00:45.277, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736340_6593', total_run_time=41.13, event_count=0, result_count=0, available_count=0, scan_count=27590443, drop_count=0, exec_time=1654736390, api_et=1654721940.000000000, api_lt=1654736340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721940.000000000, search_lt=1654736340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2742", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27590443, total_slices=1660591, decompressed_slices=447665, duration.command.search.index=10101, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80997, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12559393, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:59:15.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736280_6580', total_run_time=25.15, event_count=0, result_count=0, available_count=0, scan_count=27617479, drop_count=0, exec_time=1654736329, api_et=1654721880.000000000, api_lt=1654736280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721880.000000000, search_lt=1654736280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27617479, total_slices=1658861, decompressed_slices=447958, duration.command.search.index=9989, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77299, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12565725, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:58:45.592, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736220_6564', total_run_time=29.71, event_count=0, result_count=0, available_count=0, scan_count=27648315, drop_count=0, exec_time=1654736270, api_et=1654721820.000000000, api_lt=1654736220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721820.000000000, search_lt=1654736220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27648315, total_slices=1657077, decompressed_slices=448322, duration.command.search.index=10443, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81214, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12575474, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:57:15.379, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736160_6545', total_run_time=24.04, event_count=0, result_count=0, available_count=0, scan_count=27676678, drop_count=0, exec_time=1654736209, api_et=1654721760.000000000, api_lt=1654736160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721760.000000000, search_lt=1654736160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27676678, total_slices=1655199, decompressed_slices=448625, duration.command.search.index=9625, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76057, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12582382, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:56:45.390, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736100_6534', total_run_time=28.02, event_count=0, result_count=0, available_count=0, scan_count=27704761, drop_count=0, exec_time=1654736149, api_et=1654721700.000000000, api_lt=1654736100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721700.000000000, search_lt=1654736100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27704761, total_slices=1653389, decompressed_slices=448919, duration.command.search.index=9969, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78939, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12589508, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:55:45.615, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654736040_6515', total_run_time=27.62, event_count=0, result_count=0, available_count=0, scan_count=27729005, drop_count=0, exec_time=1654736089, api_et=1654721640.000000000, api_lt=1654736040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721640.000000000, search_lt=1654736040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27729005, total_slices=1651514, decompressed_slices=449169, duration.command.search.index=9919, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76054, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12594830, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:54:45.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735980_6499', total_run_time=36.82, event_count=0, result_count=0, available_count=0, scan_count=27758962, drop_count=0, exec_time=1654736029, api_et=1654721580.000000000, api_lt=1654735980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721580.000000000, search_lt=1654735980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2666", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27758962, total_slices=1649618, decompressed_slices=449441, duration.command.search.index=10265, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79133, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12605097, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:53:34.926, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735920_6473', total_run_time=31.15, event_count=0, result_count=0, available_count=0, scan_count=27784715, drop_count=0, exec_time=1654735970, api_et=1654721520.000000000, api_lt=1654735920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721520.000000000, search_lt=1654735920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2962", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=27784715, total_slices=1647746, decompressed_slices=449740, duration.command.search.index=10792, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82231, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12613477, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:53:14.169, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735800_6432', total_run_time=52.94, event_count=0, result_count=0, available_count=0, scan_count=27835733, drop_count=0, exec_time=1654735850, api_et=1654721400.000000000, api_lt=1654735800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721400.000000000, search_lt=1654735800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27835733, total_slices=1644149, decompressed_slices=450996, duration.command.search.index=11090, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87290, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12629646, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:53:13.961, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735860_6456', total_run_time=24.96, event_count=0, result_count=0, available_count=0, scan_count=27809991, drop_count=0, exec_time=1654735909, api_et=1654721460.000000000, api_lt=1654735860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721460.000000000, search_lt=1654735860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2578", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27809991, total_slices=1645943, decompressed_slices=450225, duration.command.search.index=10383, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77589, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12621309, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:50:38.878, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735740_6409', total_run_time=43.04, event_count=0, result_count=0, available_count=0, scan_count=27860276, drop_count=0, exec_time=1654735789, api_et=1654721340.000000000, api_lt=1654735740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721340.000000000, search_lt=1654735740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2607", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27860276, total_slices=1642300, decompressed_slices=451190, duration.command.search.index=11421, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90832, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12635902, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:49:38.796, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735680_6386', total_run_time=37.55, event_count=0, result_count=0, available_count=0, scan_count=27885875, drop_count=0, exec_time=1654735729, api_et=1654721280.000000000, api_lt=1654735680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721280.000000000, search_lt=1654735680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2597", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27885875, total_slices=1640434, decompressed_slices=451483, duration.command.search.index=10912, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82030, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12644770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:48:30.463, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735620_6369', total_run_time=31.98, event_count=0, result_count=0, available_count=0, scan_count=27911052, drop_count=0, exec_time=1654735669, api_et=1654721220.000000000, api_lt=1654735620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721220.000000000, search_lt=1654735620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27911052, total_slices=1638534, decompressed_slices=451739, duration.command.search.index=10168, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79954, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12653912, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:48:13.231, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735560_6346', total_run_time=29.68, event_count=0, result_count=0, available_count=0, scan_count=27936685, drop_count=0, exec_time=1654735609, api_et=1654721160.000000000, api_lt=1654735560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721160.000000000, search_lt=1654735560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2614", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27936685, total_slices=1636707, decompressed_slices=451950, duration.command.search.index=10468, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76361, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12662890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:48:12.914, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735500_6327', total_run_time=40.60, event_count=0, result_count=0, available_count=0, scan_count=27958607, drop_count=0, exec_time=1654735549, api_et=1654721100.000000000, api_lt=1654735500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721100.000000000, search_lt=1654735500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27958607, total_slices=1634899, decompressed_slices=452091, duration.command.search.index=10448, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83613, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12670283, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:45:45.275, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735440_6304', total_run_time=34.55, event_count=0, result_count=0, available_count=0, scan_count=27978689, drop_count=0, exec_time=1654735489, api_et=1654721040.000000000, api_lt=1654735440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721040.000000000, search_lt=1654735440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=27978689, total_slices=1633067, decompressed_slices=452187, duration.command.search.index=10591, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78325, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12677181, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:44:34.982, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654735380_6280', total_run_time=45.84, event_count=0, result_count=0, available_count=0, scan_count=3474, drop_count=0, exec_time=1654735418, api_et=1654731780.000000000, api_lt=1654735380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654731780.000000000, search_lt=1654735420.299497000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2857", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0963bb66cf755780", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3474, total_slices=1074761, decompressed_slices=1015, duration.command.search.index=1242, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5810, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:44:34.963, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735380_6283', total_run_time=39.19, event_count=0, result_count=0, available_count=0, scan_count=28002959, drop_count=0, exec_time=1654735430, api_et=1654720980.000000000, api_lt=1654735380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720980.000000000, search_lt=1654735380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3461", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28002959, total_slices=1631195, decompressed_slices=452445, duration.command.search.index=10902, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79304, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12686282, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:44:14.954, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735260_6231', total_run_time=36.07, event_count=0, result_count=0, available_count=0, scan_count=28049956, drop_count=0, exec_time=1654735309, api_et=1654720860.000000000, api_lt=1654735260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720860.000000000, search_lt=1654735260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28049956, total_slices=1627847, decompressed_slices=452899, duration.command.search.index=10974, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84990, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12701883, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:44:14.702, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735320_6254', total_run_time=39.52, event_count=0, result_count=0, available_count=0, scan_count=28024309, drop_count=0, exec_time=1654735369, api_et=1654720920.000000000, api_lt=1654735320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720920.000000000, search_lt=1654735320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3162", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28024309, total_slices=1629303, decompressed_slices=452625, duration.command.search.index=11228, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88266, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12693202, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:44:13.739, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735200_6207', total_run_time=51.24, event_count=0, result_count=0, available_count=0, scan_count=28074934, drop_count=0, exec_time=1654735250, api_et=1654720800.000000000, api_lt=1654735200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720800.000000000, search_lt=1654735200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28074934, total_slices=1625771, decompressed_slices=453102, duration.command.search.index=12776, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94558, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12712298, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:40:50.210, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735140_6185', total_run_time=54.50, event_count=0, result_count=0, available_count=0, scan_count=28093462, drop_count=0, exec_time=1654735190, api_et=1654720740.000000000, api_lt=1654735140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720740.000000000, search_lt=1654735140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28093462, total_slices=1623904, decompressed_slices=453186, duration.command.search.index=10894, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98883, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12718552, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:39:49.529, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735080_6168', total_run_time=35.14, event_count=0, result_count=0, available_count=0, scan_count=28114467, drop_count=0, exec_time=1654735129, api_et=1654720680.000000000, api_lt=1654735080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720680.000000000, search_lt=1654735080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28114467, total_slices=1621912, decompressed_slices=453375, duration.command.search.index=11184, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83202, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12726028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:39:20.047, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654735020_6152', total_run_time=39.35, event_count=0, result_count=0, available_count=0, scan_count=28141763, drop_count=0, exec_time=1654735070, api_et=1654720620.000000000, api_lt=1654735020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720620.000000000, search_lt=1654735020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28141763, total_slices=1620031, decompressed_slices=453564, duration.command.search.index=10787, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86273, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12734514, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:39:18.203, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734960_6137', total_run_time=33.94, event_count=0, result_count=0, available_count=0, scan_count=28165523, drop_count=0, exec_time=1654735009, api_et=1654720560.000000000, api_lt=1654734960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720560.000000000, search_lt=1654734960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28165523, total_slices=1618233, decompressed_slices=453647, duration.command.search.index=11486, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84598, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12742133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:39:16.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734900_6127', total_run_time=51.90, event_count=0, result_count=0, available_count=0, scan_count=28190527, drop_count=0, exec_time=1654734950, api_et=1654720500.000000000, api_lt=1654734900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720500.000000000, search_lt=1654734900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28190527, total_slices=1616394, decompressed_slices=453844, duration.command.search.index=11037, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91410, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12752179, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:35:18.438, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734780_6071', total_run_time=79.60, event_count=0, result_count=0, available_count=0, scan_count=28243451, drop_count=0, exec_time=1654734830, api_et=1654720380.000000000, api_lt=1654734780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720380.000000000, search_lt=1654734780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=28243451, total_slices=1612245, decompressed_slices=454367, duration.command.search.index=13184, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106010, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12767423, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:34:18.438, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654734780_6057', total_run_time=37.27, event_count=0, result_count=0, available_count=0, scan_count=41282557, drop_count=0, exec_time=1654734805, api_et=1654731180.000000000, api_lt=1654734780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654731180.000000000, search_lt=1654734807.392296000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4006", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_809e21f9c52e0fe1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1886, eliminated_buckets=137, considered_events=41282557, total_slices=14029633, decompressed_slices=4072758, duration.command.search.index=16179, invocations.command.search.index.bucketcache.hit=1885, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223679, invocations.command.search.rawdata.bucketcache.hit=301, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:33:20.232, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734660_6006', total_run_time=80.57, event_count=0, result_count=0, available_count=0, scan_count=28296571, drop_count=0, exec_time=1654734710, api_et=1654720260.000000000, api_lt=1654734660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720260.000000000, search_lt=1654734660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3117", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=28296571, total_slices=1608314, decompressed_slices=455135, duration.command.search.index=15814, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=131531, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12784711, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:31:21.110, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734540_5951', total_run_time=89.97, event_count=0, result_count=0, available_count=0, scan_count=28342640, drop_count=0, exec_time=1654734589, api_et=1654720140.000000000, api_lt=1654734540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720140.000000000, search_lt=1654734540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=28342640, total_slices=1604986, decompressed_slices=455487, duration.command.search.index=13113, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=112319, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12800432, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:29:18.277, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734420_5922', total_run_time=68.78, event_count=0, result_count=0, available_count=0, scan_count=28385188, drop_count=0, exec_time=1654734469, api_et=1654720020.000000000, api_lt=1654734420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720020.000000000, search_lt=1654734420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=28385188, total_slices=1601297, decompressed_slices=455885, duration.command.search.index=13139, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99636, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12815519, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:27:48.246, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734360_5903', total_run_time=39.36, event_count=0, result_count=0, available_count=0, scan_count=28408028, drop_count=0, exec_time=1654734409, api_et=1654719960.000000000, api_lt=1654734360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719960.000000000, search_lt=1654734360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=28408028, total_slices=1599422, decompressed_slices=456075, duration.command.search.index=12053, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90437, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12823139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:26:18.527, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734240_5874', total_run_time=63.68, event_count=0, result_count=0, available_count=0, scan_count=28447465, drop_count=0, exec_time=1654734290, api_et=1654719840.000000000, api_lt=1654734240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719840.000000000, search_lt=1654734240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2858", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=28447465, total_slices=1595567, decompressed_slices=456289, duration.command.search.index=14428, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107581, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12835601, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:24:18.321, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734120_5824', total_run_time=80.95, event_count=0, result_count=0, available_count=0, scan_count=28485171, drop_count=0, exec_time=1654734170, api_et=1654719720.000000000, api_lt=1654734120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719720.000000000, search_lt=1654734120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=1, considered_events=28485171, total_slices=1591649, decompressed_slices=456639, duration.command.search.index=12651, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99162, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12847639, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:22:34.319, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654734000_5782', total_run_time=83.04, event_count=12862974, result_count=15, available_count=0, scan_count=28527707, drop_count=0, exec_time=1654734057, api_et=1654719600.000000000, api_lt=1654734000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719600.000000000, search_lt=1654734000.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=2, considered_events=28527707, total_slices=1588270, decompressed_slices=456950, duration.command.search.index=17493, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=145510, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12862974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:22:18.779, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654734000_5780', total_run_time=85.87, event_count=0, result_count=0, available_count=0, scan_count=28527707, drop_count=0, exec_time=1654734050, api_et=1654719600.000000000, api_lt=1654734000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719600.000000000, search_lt=1654734000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=2, considered_events=28527707, total_slices=1588121, decompressed_slices=456950, duration.command.search.index=17513, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=152320, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12862974, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:20:48.160, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733940_5755', total_run_time=51.84, event_count=0, result_count=0, available_count=0, scan_count=28550301, drop_count=0, exec_time=1654733990, api_et=1654719540.000000000, api_lt=1654733940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719540.000000000, search_lt=1654733940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=2, considered_events=28550301, total_slices=1586417, decompressed_slices=457051, duration.command.search.index=12433, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=120626, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12871385, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:19:18.490, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733820_5707', total_run_time=64.74, event_count=0, result_count=0, available_count=0, scan_count=28589006, drop_count=0, exec_time=1654733869, api_et=1654719420.000000000, api_lt=1654733820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719420.000000000, search_lt=1654733820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28589006, total_slices=1582079, decompressed_slices=457449, duration.command.search.index=14692, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=129488, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12886281, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:17:18.280, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733700_5668', total_run_time=72.70, event_count=0, result_count=0, available_count=0, scan_count=28625411, drop_count=0, exec_time=1654733750, api_et=1654719300.000000000, api_lt=1654733700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719300.000000000, search_lt=1654733700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28625411, total_slices=1578272, decompressed_slices=457769, duration.command.search.index=13565, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100523, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12903487, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:16:48.257, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654733760_5678', total_run_time=9.81, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654733770, api_et=1654729560.000000000, api_lt=1654733160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654730160.000000000, search_lt=1654733772.638706000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3254", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f0840e66f3bfa618", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1084, eliminated_buckets=384, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=773, invocations.command.search.index.bucketcache.hit=1084, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:15:18.460, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733580_5626', total_run_time=59.76, event_count=0, result_count=0, available_count=0, scan_count=28663672, drop_count=0, exec_time=1654733630, api_et=1654719180.000000000, api_lt=1654733580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719180.000000000, search_lt=1654733580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28663672, total_slices=1574419, decompressed_slices=458229, duration.command.search.index=13002, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91222, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12921609, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:14:48.279, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654733640_5636', total_run_time=9.92, event_count=0, result_count=0, available_count=0, scan_count=16020, drop_count=0, exec_time=1654733663, api_et=1654730040.000000000, api_lt=1654733640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654730040.000000000, search_lt=1654733665.148786000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2881", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=284, considered_events=16577, total_slices=795824, decompressed_slices=4082, duration.command.search.index=1380, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7349, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=54, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=359, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=920, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=219, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=190, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=12, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-09-2022 00:13:48.214, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733460_5581', total_run_time=97.41, event_count=0, result_count=0, available_count=0, scan_count=28702989, drop_count=0, exec_time=1654733509, api_et=1654719060.000000000, api_lt=1654733460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719060.000000000, search_lt=1654733460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28702989, total_slices=1570637, decompressed_slices=458644, duration.command.search.index=14775, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106987, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12943141, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:12:00.773, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733340_5534', total_run_time=102.41, event_count=0, result_count=0, available_count=0, scan_count=28744081, drop_count=0, exec_time=1654733389, api_et=1654718940.000000000, api_lt=1654733340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718940.000000000, search_lt=1654733340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2921", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28744081, total_slices=1567370, decompressed_slices=458937, duration.command.search.index=17337, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=132387, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12960784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:12:00.574, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654732800_5455', total_run_time=400.77, event_count=2696, result_count=2695, available_count=0, scan_count=1756589, drop_count=0, exec_time=1654733088, api_et=1654646400.000000000, api_lt=1654732800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654732800.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="65019", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_c381dfe3dae401e1", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4771, considered_events=1756589, total_slices=14097028, decompressed_slices=1089712, duration.command.search.index=1701453, invocations.command.search.index.bucketcache.hit=27168, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3267, duration.command.search.index.bucketcache.miss=838163, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=381973, invocations.command.search.rawdata.bucketcache.hit=20166, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1425, duration.command.search.rawdata.bucketcache.miss=641854, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-09-2022 00:12:00.435, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654733460_5563', total_run_time=5.98, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654733465, api_et=1654729860.000000000, api_lt=1654733460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654729860.000000000, search_lt=1654733467.025060000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3101", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_932d2958c7589b1a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=35, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:10:18.169, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654733340_5526', total_run_time=45.46, event_count=0, result_count=0, available_count=0, scan_count=5025528, drop_count=0, exec_time=1654733346, api_et=1654729140.000000000, api_lt=1654732740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654729140.000000000, search_lt=1654732740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3389", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_057edee4fcf7a114", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=818, eliminated_buckets=402, considered_events=5025528, total_slices=1142258, decompressed_slices=228337, duration.command.search.index=2268, invocations.command.search.index.bucketcache.hit=818, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41319, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:09:48.355, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654733220_5505', total_run_time=95.92, event_count=0, result_count=0, available_count=0, scan_count=28789283, drop_count=0, exec_time=1654733269, api_et=1654718820.000000000, api_lt=1654733220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718820.000000000, search_lt=1654733220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3414", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=28789283, total_slices=1563112, decompressed_slices=459368, duration.command.search.index=18137, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=139091, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12982459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:08:48.353, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654733220_5508', total_run_time=45.18, event_count=2973, result_count=57, available_count=0, scan_count=503786, drop_count=0, exec_time=1654733280, api_et=1654729620.000000000, api_lt=1654733220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654729620.000000000, search_lt=1654733282.761169000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3295", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=200, considered_events=508254, total_slices=507772, decompressed_slices=119891, duration.command.search.index=5619, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54935, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=412076, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40243, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-09-2022 00:07:47.479, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654732980_5409', total_run_time=189.34, event_count=0, result_count=0, available_count=0, scan_count=28884913, drop_count=0, exec_time=1654733029, api_et=1654718580.000000000, api_lt=1654732980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718580.000000000, search_lt=1654732980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=28884913, total_slices=1555460, decompressed_slices=460142, duration.command.search.index=40013, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=421024, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13022674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:07:46.948, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654733220_5500', total_run_time=15.48, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654733247, api_et=1654729620.000000000, api_lt=1654733220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654729620.000000000, search_lt=1654733248.925113000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2988", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ac2e6d33b20e7f9b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1623, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-09-2022 00:03:41.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654732800_5294', total_run_time=124.43, event_count=0, result_count=0, available_count=0, scan_count=28954043, drop_count=0, exec_time=1654732850, api_et=1654718400.000000000, api_lt=1654732800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718400.000000000, search_lt=1654732800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=28954043, total_slices=1549826, decompressed_slices=461309, duration.command.search.index=43698, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=386667, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13059955, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-09-2022 00:03:39.112, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654732800_5290', total_run_time=62.53, event_count=0, result_count=100, available_count=0, scan_count=0, drop_count=0, exec_time=1654732833, api_et=1654731000.000000000, api_lt=1654732800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654731000.000000000, search_lt=1654732800.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63229", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-08-2022 23:44:03.983, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654731780_5004', total_run_time=24.34, event_count=0, result_count=0, available_count=0, scan_count=3211, drop_count=0, exec_time=1654731818, api_et=1654728180.000000000, api_lt=1654731780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654728180.000000000, search_lt=1654731820.741997000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2891", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a2e827619f46d0ed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=3211, total_slices=1128687, decompressed_slices=1053, duration.command.search.index=1301, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5084, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 23:35:49.643, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654731180_4797', total_run_time=40.89, event_count=0, result_count=0, available_count=0, scan_count=41324387, drop_count=0, exec_time=1654731205, api_et=1654727580.000000000, api_lt=1654731180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654727580.000000000, search_lt=1654731207.738125000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_da59ae0470b45063", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1890, eliminated_buckets=137, considered_events=41324387, total_slices=13836430, decompressed_slices=4069487, duration.command.search.index=16570, invocations.command.search.index.bucketcache.hit=1890, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=231241, invocations.command.search.rawdata.bucketcache.hit=285, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 23:16:46.671, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654730160_4458', total_run_time=8.78, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654730170, api_et=1654725960.000000000, api_lt=1654729560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654726560.000000000, search_lt=1654730172.773678000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3245", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_95818d1c29b39c90", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1080, eliminated_buckets=384, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=695, invocations.command.search.index.bucketcache.hit=1080, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 23:14:46.825, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654730040_4417', total_run_time=5.34, event_count=0, result_count=0, available_count=0, scan_count=14791, drop_count=0, exec_time=1654730063, api_et=1654726440.000000000, api_lt=1654730040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654726440.000000000, search_lt=1654730065.267140000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=287, considered_events=14870, total_slices=841201, decompressed_slices=4263, duration.command.search.index=1227, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6065, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=66, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=431, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1162, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=272, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=294, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=14, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 23:11:16.801, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654729860_4352', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654729864, api_et=1654726260.000000000, api_lt=1654729860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654726260.000000000, search_lt=1654729867.111184000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3246", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc25baaf511bc5be", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=41, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 23:09:46.991, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654729740_4320', total_run_time=18.65, event_count=0, result_count=0, available_count=0, scan_count=5069689, drop_count=0, exec_time=1654729745, api_et=1654725540.000000000, api_lt=1654729140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654725540.000000000, search_lt=1654729140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3074", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7fd7985c67350fff", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=816, eliminated_buckets=400, considered_events=5069689, total_slices=1189381, decompressed_slices=237594, duration.command.search.index=2065, invocations.command.search.index.bucketcache.hit=816, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38143, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=112, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 23:08:47.042, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654729620_4302', total_run_time=20.23, event_count=1282, result_count=58, available_count=0, scan_count=494171, drop_count=0, exec_time=1654729680, api_et=1654726020.000000000, api_lt=1654729620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654726020.000000000, search_lt=1654729682.867919000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3092", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=197, considered_events=501663, total_slices=579692, decompressed_slices=139476, duration.command.search.index=4249, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39063, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=397597, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39527, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 23:07:46.753, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654729620_4297', total_run_time=9.85, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654729647, api_et=1654726020.000000000, api_lt=1654729620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654726020.000000000, search_lt=1654729648.909680000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4b4f2e2fa8de962f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=198, considered_events=2, total_slices=145, decompressed_slices=2, duration.command.search.index=991, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=347, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:44:22.644, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654728180_3834', total_run_time=22.22, event_count=0, result_count=0, available_count=0, scan_count=3579, drop_count=0, exec_time=1654728218, api_et=1654724580.000000000, api_lt=1654728180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654724580.000000000, search_lt=1654728220.108780000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2884", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_634c7297d3b53951", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=3579, total_slices=1229673, decompressed_slices=1070, duration.command.search.index=1279, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5200, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:36:07.829, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654727580_3623', total_run_time=47.31, event_count=0, result_count=0, available_count=0, scan_count=41487182, drop_count=0, exec_time=1654727605, api_et=1654723980.000000000, api_lt=1654727580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654723980.000000000, search_lt=1654727607.481296000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f31dec93938cfb76", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1891, eliminated_buckets=137, considered_events=41487182, total_slices=14054445, decompressed_slices=4085982, duration.command.search.index=15172, invocations.command.search.index.bucketcache.hit=1890, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=237245, invocations.command.search.rawdata.bucketcache.hit=312, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:17:46.735, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654726560_3272', total_run_time=9.48, event_count=0, result_count=0, available_count=0, scan_count=10, drop_count=0, exec_time=1654726570, api_et=1654722360.000000000, api_lt=1654725960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654722960.000000000, search_lt=1654726572.276019000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3223", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9a45d955d9d47c6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1083, eliminated_buckets=386, considered_events=10, total_slices=5253, decompressed_slices=1, duration.command.search.index=681, invocations.command.search.index.bucketcache.hit=1083, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=119, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:14:42.819, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654726440_3232', total_run_time=9.79, event_count=0, result_count=0, available_count=0, scan_count=13561, drop_count=0, exec_time=1654726463, api_et=1654722840.000000000, api_lt=1654726440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654722840.000000000, search_lt=1654726465.098951000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=287, considered_events=13575, total_slices=794817, decompressed_slices=4933, duration.command.search.index=1338, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6514, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=60, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=552, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1466, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=350, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=525, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=8, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 22:11:12.994, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654726260_3165', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654726264, api_et=1654722660.000000000, api_lt=1654726260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654722660.000000000, search_lt=1654726266.632127000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fca2912d02e7b912", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=42, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:09:42.938, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654726140_3134', total_run_time=20.84, event_count=0, result_count=0, available_count=0, scan_count=4708500, drop_count=0, exec_time=1654726145, api_et=1654721940.000000000, api_lt=1654725540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654721940.000000000, search_lt=1654725540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="2960", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_761056d270b9de0c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=812, eliminated_buckets=393, considered_events=4708500, total_slices=1169587, decompressed_slices=222893, duration.command.search.index=2037, invocations.command.search.index.bucketcache.hit=810, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35807, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 22:08:42.919, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654726020_3114', total_run_time=22.49, event_count=3351, result_count=56, available_count=0, scan_count=576913, drop_count=0, exec_time=1654726080, api_et=1654722420.000000000, api_lt=1654726020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654722420.000000000, search_lt=1654726082.242787000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=198, considered_events=584783, total_slices=694446, decompressed_slices=154768, duration.command.search.index=4699, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=43106, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=466240, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 22:07:42.774, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654726020_3109', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654726046, api_et=1654722420.000000000, api_lt=1654726020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654722420.000000000, search_lt=1654726048.598289000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9fe365b4e908f130", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=198, considered_events=1, total_slices=13579, decompressed_slices=1, duration.command.search.index=1205, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=317, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:44:41.680, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654724580_2645', total_run_time=62.00, event_count=0, result_count=0, available_count=0, scan_count=3433, drop_count=0, exec_time=1654724618, api_et=1654720980.000000000, api_lt=1654724580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720980.000000000, search_lt=1654724619.738078000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2294", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7ea916a86c178d5c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=3433, total_slices=1148727, decompressed_slices=1243, duration.command.search.index=1637, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6638, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:34:32.760, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654723980_2440', total_run_time=42.15, event_count=0, result_count=0, available_count=0, scan_count=41499198, drop_count=0, exec_time=1654724006, api_et=1654720380.000000000, api_lt=1654723980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654720380.000000000, search_lt=1654724008.076201000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_84aee2106b2fc4c4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1894, eliminated_buckets=137, considered_events=41499198, total_slices=14353163, decompressed_slices=4086506, duration.command.search.index=15228, invocations.command.search.index.bucketcache.hit=1893, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=233233, invocations.command.search.rawdata.bucketcache.hit=317, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:20:26.419, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654722960_2098', total_run_time=30.77, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654722971, api_et=1654718760.000000000, api_lt=1654722360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719360.000000000, search_lt=1654722972.891671000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3284", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d1a043cf0ad5a9a3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1086, eliminated_buckets=386, considered_events=3, total_slices=12994, decompressed_slices=2, duration.command.search.index=1071, invocations.command.search.index.bucketcache.hit=1086, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=154, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:14:57.498, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654722840_2058', total_run_time=5.23, event_count=0, result_count=0, available_count=0, scan_count=15215, drop_count=0, exec_time=1654722863, api_et=1654719240.000000000, api_lt=1654722840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719240.000000000, search_lt=1654722865.318273000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2740", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=283, considered_events=15237, total_slices=685072, decompressed_slices=4663, duration.command.search.index=1182, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6347, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=77, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=546, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1364, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=323, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=386, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 21:11:39.376, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654722660_1992', total_run_time=5.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654722664, api_et=1654719060.000000000, api_lt=1654722660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654719060.000000000, search_lt=1654722667.247109000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3332", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9db4888b26a6dd41", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=48, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=42, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:09:57.375, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654722540_1958', total_run_time=22.90, event_count=0, result_count=0, available_count=0, scan_count=5078677, drop_count=0, exec_time=1654722545, api_et=1654718340.000000000, api_lt=1654721940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718340.000000000, search_lt=1654721940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3326", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_886d94f13b6f3204", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=826, eliminated_buckets=407, considered_events=5078677, total_slices=1157435, decompressed_slices=236140, duration.command.search.index=2247, invocations.command.search.index.bucketcache.hit=824, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=42000, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:08:57.492, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654722420_1940', total_run_time=27.38, event_count=1123, result_count=56, available_count=0, scan_count=535059, drop_count=0, exec_time=1654722480, api_et=1654718820.000000000, api_lt=1654722420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718820.000000000, search_lt=1654722482.258314000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=197, considered_events=540883, total_slices=602082, decompressed_slices=130713, duration.command.search.index=5592, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51395, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=427491, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 21:07:47.060, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654722420_1935', total_run_time=7.95, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654722446, api_et=1654718820.000000000, api_lt=1654722420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654718820.000000000, search_lt=1654722447.900083000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2545", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e4e4642e5665d6f7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=197, considered_events=1, total_slices=3594, decompressed_slices=1, duration.command.search.index=963, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=146, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 21:03:26.209, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721940_1743', total_run_time=57.32, event_count=0, result_count=0, available_count=0, scan_count=30088482, drop_count=0, exec_time=1654721990, api_et=1654707540.000000000, api_lt=1654721940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707540.000000000, search_lt=1654721940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=0, considered_events=30088482, total_slices=1206278, decompressed_slices=474698, duration.command.search.index=12782, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111043, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13525462, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:59:43.415, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721880_1730', total_run_time=35.39, event_count=0, result_count=0, available_count=0, scan_count=30087360, drop_count=0, exec_time=1654721930, api_et=1654707480.000000000, api_lt=1654721880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707480.000000000, search_lt=1654721880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="7891", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=0, considered_events=30087360, total_slices=1203966, decompressed_slices=474495, duration.command.search.index=12071, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88747, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13524146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:58:43.534, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721820_1715', total_run_time=30.98, event_count=0, result_count=0, available_count=0, scan_count=30083106, drop_count=0, exec_time=1654721870, api_et=1654707420.000000000, api_lt=1654721820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707420.000000000, search_lt=1654721820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2955", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=0, considered_events=30083106, total_slices=1201625, decompressed_slices=474483, duration.command.search.index=11717, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86633, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13519895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:57:43.397, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721760_1698', total_run_time=25.83, event_count=0, result_count=0, available_count=0, scan_count=30082208, drop_count=0, exec_time=1654721809, api_et=1654707360.000000000, api_lt=1654721760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707360.000000000, search_lt=1654721760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2545", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30082208, total_slices=1225891, decompressed_slices=474365, duration.command.search.index=11376, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82607, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13520447, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:56:43.464, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721700_1687', total_run_time=29.18, event_count=0, result_count=0, available_count=0, scan_count=30081342, drop_count=0, exec_time=1654721750, api_et=1654707300.000000000, api_lt=1654721700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707300.000000000, search_lt=1654721700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30081342, total_slices=1223760, decompressed_slices=474443, duration.command.search.index=11472, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87571, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13521115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:55:43.547, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721640_1672', total_run_time=30.48, event_count=0, result_count=0, available_count=0, scan_count=30082171, drop_count=0, exec_time=1654721689, api_et=1654707240.000000000, api_lt=1654721640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707240.000000000, search_lt=1654721640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2604", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30082171, total_slices=1221843, decompressed_slices=474433, duration.command.search.index=11928, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85451, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13522675, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:54:43.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721580_1655', total_run_time=38.74, event_count=0, result_count=0, available_count=0, scan_count=30078290, drop_count=0, exec_time=1654721629, api_et=1654707180.000000000, api_lt=1654721580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707180.000000000, search_lt=1654721580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3250", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30078290, total_slices=1219640, decompressed_slices=474273, duration.command.search.index=11814, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89442, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13519329, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:53:33.656, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721520_1632', total_run_time=43.56, event_count=0, result_count=0, available_count=0, scan_count=30078944, drop_count=0, exec_time=1654721569, api_et=1654707120.000000000, api_lt=1654721520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707120.000000000, search_lt=1654721520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2905", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30078944, total_slices=1217549, decompressed_slices=474258, duration.command.search.index=13651, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98983, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13516028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:53:13.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721460_1615', total_run_time=40.70, event_count=0, result_count=0, available_count=0, scan_count=30080615, drop_count=0, exec_time=1654721509, api_et=1654707060.000000000, api_lt=1654721460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707060.000000000, search_lt=1654721460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2769", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30080615, total_slices=1215566, decompressed_slices=474088, duration.command.search.index=12228, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93716, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13513917, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:53:13.758, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721400_1591', total_run_time=48.67, event_count=0, result_count=0, available_count=0, scan_count=30081486, drop_count=0, exec_time=1654721449, api_et=1654707000.000000000, api_lt=1654721400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707000.000000000, search_lt=1654721400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=30081486, total_slices=1213335, decompressed_slices=473716, duration.command.search.index=16499, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=115900, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13514111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:50:56.178, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721340_1568', total_run_time=54.48, event_count=0, result_count=0, available_count=0, scan_count=30080432, drop_count=0, exec_time=1654721389, api_et=1654706940.000000000, api_lt=1654721340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706940.000000000, search_lt=1654721340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2738", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30080432, total_slices=1237376, decompressed_slices=473652, duration.command.search.index=13653, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106467, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13512202, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:49:56.398, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721280_1547', total_run_time=50.81, event_count=0, result_count=0, available_count=0, scan_count=30078216, drop_count=0, exec_time=1654721329, api_et=1654706880.000000000, api_lt=1654721280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706880.000000000, search_lt=1654721280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2706", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30078216, total_slices=1235417, decompressed_slices=473681, duration.command.search.index=12827, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93808, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13508405, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:48:27.540, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721220_1531', total_run_time=36.72, event_count=0, result_count=0, available_count=0, scan_count=30075431, drop_count=0, exec_time=1654721269, api_et=1654706820.000000000, api_lt=1654721220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706820.000000000, search_lt=1654721220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2866", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30075431, total_slices=1233238, decompressed_slices=473633, duration.command.search.index=12214, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92257, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13503915, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:48:26.962, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721160_1510', total_run_time=38.80, event_count=0, result_count=0, available_count=0, scan_count=30076210, drop_count=0, exec_time=1654721210, api_et=1654706760.000000000, api_lt=1654721160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706760.000000000, search_lt=1654721160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30076210, total_slices=1231200, decompressed_slices=473741, duration.command.search.index=11996, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90751, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13501351, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:48:25.443, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721100_1492', total_run_time=41.70, event_count=0, result_count=0, available_count=0, scan_count=30078971, drop_count=0, exec_time=1654721150, api_et=1654706700.000000000, api_lt=1654721100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706700.000000000, search_lt=1654721100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2741", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30078971, total_slices=1229111, decompressed_slices=473768, duration.command.search.index=12690, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98954, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13499115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:45:34.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654721040_1470', total_run_time=32.47, event_count=0, result_count=0, available_count=0, scan_count=30080345, drop_count=0, exec_time=1654721089, api_et=1654706640.000000000, api_lt=1654721040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706640.000000000, search_lt=1654721040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30080345, total_slices=1227087, decompressed_slices=473704, duration.command.search.index=12642, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95004, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13497231, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:45:04.017, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720980_1449', total_run_time=45.84, event_count=0, result_count=0, available_count=0, scan_count=30080667, drop_count=0, exec_time=1654721029, api_et=1654706580.000000000, api_lt=1654720980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706580.000000000, search_lt=1654720980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3235", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30080667, total_slices=1225252, decompressed_slices=473631, duration.command.search.index=13131, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101978, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13492168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:44:34.303, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654720980_1446', total_run_time=51.32, event_count=0, result_count=0, available_count=0, scan_count=3704, drop_count=0, exec_time=1654721018, api_et=1654717380.000000000, api_lt=1654720980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654717380.000000000, search_lt=1654721020.566031000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2926", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9eb8b44d397c27da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=0, considered_events=3704, total_slices=1007122, decompressed_slices=1079, duration.command.search.index=2096, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6355, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:44:00.625, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720800_1373', total_run_time=51.71, event_count=0, result_count=0, available_count=0, scan_count=30087262, drop_count=0, exec_time=1654720849, api_et=1654706400.000000000, api_lt=1654720800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706400.000000000, search_lt=1654720800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30087262, total_slices=1245067, decompressed_slices=473818, duration.command.search.index=15827, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114049, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:44:00.453, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720860_1399', total_run_time=46.84, event_count=0, result_count=0, available_count=0, scan_count=30084148, drop_count=0, exec_time=1654720909, api_et=1654706460.000000000, api_lt=1654720860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706460.000000000, search_lt=1654720860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2849", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30084148, total_slices=1246851, decompressed_slices=473698, duration.command.search.index=14977, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111198, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13486478, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:43:59.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720920_1422', total_run_time=52.09, event_count=0, result_count=0, available_count=0, scan_count=30080041, drop_count=0, exec_time=1654720970, api_et=1654706520.000000000, api_lt=1654720920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706520.000000000, search_lt=1654720920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=30080041, total_slices=1223212, decompressed_slices=473594, duration.command.search.index=14627, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109593, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13488583, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:41:03.492, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720740_1352', total_run_time=53.66, event_count=0, result_count=0, available_count=0, scan_count=30091212, drop_count=0, exec_time=1654720790, api_et=1654706340.000000000, api_lt=1654720740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706340.000000000, search_lt=1654720740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30091212, total_slices=1243110, decompressed_slices=473851, duration.command.search.index=15523, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126959, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13482508, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:39:33.643, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720680_1336', total_run_time=39.02, event_count=0, result_count=0, available_count=0, scan_count=30095881, drop_count=0, exec_time=1654720730, api_et=1654706280.000000000, api_lt=1654720680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706280.000000000, search_lt=1654720680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30095881, total_slices=1241239, decompressed_slices=473921, duration.command.search.index=13283, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108795, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13480203, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:38:31.924, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720500_1296', total_run_time=42.83, event_count=0, result_count=0, available_count=0, scan_count=30099386, drop_count=0, exec_time=1654720550, api_et=1654706100.000000000, api_lt=1654720500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706100.000000000, search_lt=1654720500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30099386, total_slices=1235018, decompressed_slices=473936, duration.command.search.index=16496, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=135347, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13471274, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:38:31.439, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720620_1321', total_run_time=33.36, event_count=0, result_count=0, available_count=0, scan_count=30094992, drop_count=0, exec_time=1654720669, api_et=1654706220.000000000, api_lt=1654720620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706220.000000000, search_lt=1654720620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30094992, total_slices=1239020, decompressed_slices=473952, duration.command.search.index=12931, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101307, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13476250, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:38:31.410, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720560_1306', total_run_time=33.08, event_count=0, result_count=0, available_count=0, scan_count=30095265, drop_count=0, exec_time=1654720610, api_et=1654706160.000000000, api_lt=1654720560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706160.000000000, search_lt=1654720560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30095265, total_slices=1237024, decompressed_slices=473951, duration.command.search.index=12481, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102105, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13473267, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:35:57.353, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720440_1275', total_run_time=40.14, event_count=0, result_count=0, available_count=0, scan_count=30112589, drop_count=0, exec_time=1654720489, api_et=1654706040.000000000, api_lt=1654720440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706040.000000000, search_lt=1654720440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30112589, total_slices=1232995, decompressed_slices=474083, duration.command.search.index=13357, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94649, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13471089, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:34:57.145, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720380_1239', total_run_time=52.29, event_count=0, result_count=0, available_count=0, scan_count=30117352, drop_count=0, exec_time=1654720429, api_et=1654705980.000000000, api_lt=1654720380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705980.000000000, search_lt=1654720380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30117352, total_slices=1230901, decompressed_slices=474033, duration.command.search.index=15097, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105243, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13469999, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:34:27.268, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654720380_1226', total_run_time=45.22, event_count=0, result_count=0, available_count=0, scan_count=41310929, drop_count=0, exec_time=1654720405, api_et=1654716780.000000000, api_lt=1654720380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654716780.000000000, search_lt=1654720407.510162000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3236", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_92b27a0ac01dc49c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1910, eliminated_buckets=137, considered_events=41310929, total_slices=14558099, decompressed_slices=4051985, duration.command.search.index=14387, invocations.command.search.index.bucketcache.hit=1910, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227976, invocations.command.search.rawdata.bucketcache.hit=332, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:33:57.278, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720320_1203', total_run_time=57.32, event_count=0, result_count=0, available_count=0, scan_count=30116239, drop_count=0, exec_time=1654720370, api_et=1654705920.000000000, api_lt=1654720320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705920.000000000, search_lt=1654720320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30116239, total_slices=1228766, decompressed_slices=473939, duration.command.search.index=15519, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109422, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13467125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:31:57.216, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720200_1135', total_run_time=61.73, event_count=0, result_count=0, available_count=0, scan_count=30116039, drop_count=0, exec_time=1654720249, api_et=1654705800.000000000, api_lt=1654720200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705800.000000000, search_lt=1654720200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3573", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30116039, total_slices=1224422, decompressed_slices=473782, duration.command.search.index=16583, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=120951, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13464225, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:30:58.615, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720140_1107', total_run_time=41.68, event_count=0, result_count=0, available_count=0, scan_count=30116263, drop_count=0, exec_time=1654720190, api_et=1654705740.000000000, api_lt=1654720140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705740.000000000, search_lt=1654720140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30116263, total_slices=1222172, decompressed_slices=473757, duration.command.search.index=11554, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95345, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13463094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:29:27.275, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720080_1094', total_run_time=26.96, event_count=0, result_count=0, available_count=0, scan_count=30117704, drop_count=0, exec_time=1654720129, api_et=1654705680.000000000, api_lt=1654720080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705680.000000000, search_lt=1654720080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2670", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30117704, total_slices=1220252, decompressed_slices=473670, duration.command.search.index=11392, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80819, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13461154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:28:28.890, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654720020_1080', total_run_time=25.38, event_count=0, result_count=0, available_count=0, scan_count=30115110, drop_count=0, exec_time=1654720069, api_et=1654705620.000000000, api_lt=1654720020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705620.000000000, search_lt=1654720020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30115110, total_slices=1218059, decompressed_slices=473516, duration.command.search.index=11512, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79147, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13457436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:27:27.212, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719960_1062', total_run_time=23.69, event_count=0, result_count=0, available_count=0, scan_count=30115110, drop_count=0, exec_time=1654720009, api_et=1654705560.000000000, api_lt=1654719960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705560.000000000, search_lt=1654719960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30115110, total_slices=1216077, decompressed_slices=473482, duration.command.search.index=11310, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77955, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13454389, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:26:29.449, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719900_1046', total_run_time=29.72, event_count=0, result_count=0, available_count=0, scan_count=30126095, drop_count=0, exec_time=1654719949, api_et=1654705500.000000000, api_lt=1654719900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705500.000000000, search_lt=1654719900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2680", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30126095, total_slices=1214004, decompressed_slices=473490, duration.command.search.index=11540, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80567, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13452860, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:25:28.218, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719840_1032', total_run_time=29.27, event_count=0, result_count=0, available_count=0, scan_count=30125073, drop_count=0, exec_time=1654719889, api_et=1654705440.000000000, api_lt=1654719840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705440.000000000, search_lt=1654719840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30125073, total_slices=1211710, decompressed_slices=473436, duration.command.search.index=11961, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82089, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13449769, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:24:27.359, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719780_1008', total_run_time=24.84, event_count=0, result_count=0, available_count=0, scan_count=30123742, drop_count=0, exec_time=1654719829, api_et=1654705380.000000000, api_lt=1654719780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705380.000000000, search_lt=1654719780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2899", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30123742, total_slices=1209924, decompressed_slices=473373, duration.command.search.index=11638, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78540, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13446395, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:23:28.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719720_976', total_run_time=29.67, event_count=0, result_count=0, available_count=0, scan_count=30123683, drop_count=0, exec_time=1654719769, api_et=1654705320.000000000, api_lt=1654719720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705320.000000000, search_lt=1654719720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3143", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30123683, total_slices=1207952, decompressed_slices=473310, duration.command.search.index=11812, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86467, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13442771, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:22:27.629, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719660_960', total_run_time=24.52, event_count=0, result_count=0, available_count=0, scan_count=30122355, drop_count=0, exec_time=1654719709, api_et=1654705260.000000000, api_lt=1654719660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705260.000000000, search_lt=1654719660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2828", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30122355, total_slices=1205802, decompressed_slices=473237, duration.command.search.index=11663, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80591, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13438055, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:21:52.234, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719600_932', total_run_time=22.30, event_count=0, result_count=0, available_count=0, scan_count=30115734, drop_count=0, exec_time=1654719649, api_et=1654705200.000000000, api_lt=1654719600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705200.000000000, search_lt=1654719600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30115734, total_slices=1203851, decompressed_slices=473229, duration.command.search.index=14311, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93465, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13433420, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:20:28.974, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719540_908', total_run_time=21.62, event_count=0, result_count=0, available_count=0, scan_count=30106024, drop_count=0, exec_time=1654719589, api_et=1654705140.000000000, api_lt=1654719540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705140.000000000, search_lt=1654719540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2999", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30106024, total_slices=1201736, decompressed_slices=473072, duration.command.search.index=11535, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87431, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13428427, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:19:27.361, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719480_883', total_run_time=34.53, event_count=0, result_count=0, available_count=0, scan_count=30098771, drop_count=0, exec_time=1654719529, api_et=1654705080.000000000, api_lt=1654719480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705080.000000000, search_lt=1654719480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30098771, total_slices=1199785, decompressed_slices=472939, duration.command.search.index=12285, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84092, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13422281, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:18:57.570, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719420_863', total_run_time=41.46, event_count=0, result_count=0, available_count=0, scan_count=30090396, drop_count=0, exec_time=1654719469, api_et=1654705020.000000000, api_lt=1654719420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705020.000000000, search_lt=1654719420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30090396, total_slices=1197575, decompressed_slices=472812, duration.command.search.index=12160, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83570, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13416415, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:17:28.224, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719360_840', total_run_time=35.20, event_count=0, result_count=0, available_count=0, scan_count=30090712, drop_count=0, exec_time=1654719409, api_et=1654704960.000000000, api_lt=1654719360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704960.000000000, search_lt=1654719360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30090712, total_slices=1195565, decompressed_slices=472832, duration.command.search.index=11525, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83463, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13410966, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:16:58.698, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654719360_834', total_run_time=44.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654719370, api_et=1654715160.000000000, api_lt=1654718760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654715760.000000000, search_lt=1654719372.927613000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c687673d0a2e33a2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1090, eliminated_buckets=387, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2551, invocations.command.search.index.bucketcache.hit=1090, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:16:27.546, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719300_823', total_run_time=22.62, event_count=0, result_count=0, available_count=0, scan_count=30088328, drop_count=0, exec_time=1654719350, api_et=1654704900.000000000, api_lt=1654719300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704900.000000000, search_lt=1654719300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2707", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30088328, total_slices=1193527, decompressed_slices=472799, duration.command.search.index=10724, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78974, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13407161, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:15:27.178, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719240_804', total_run_time=29.00, event_count=0, result_count=0, available_count=0, scan_count=30087173, drop_count=0, exec_time=1654719290, api_et=1654704840.000000000, api_lt=1654719240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704840.000000000, search_lt=1654719240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30087173, total_slices=1191395, decompressed_slices=472789, duration.command.search.index=10555, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80149, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13403598, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:14:57.167, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654719240_790', total_run_time=7.57, event_count=0, result_count=0, available_count=0, scan_count=16807, drop_count=0, exec_time=1654719263, api_et=1654715640.000000000, api_lt=1654719240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654715640.000000000, search_lt=1654719265.004552000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=287, considered_events=16935, total_slices=564590, decompressed_slices=5774, duration.command.search.index=1288, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6474, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=658, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1565, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=386, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=60, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=994, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=12, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 20:14:27.152, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719180_780', total_run_time=27.68, event_count=0, result_count=0, available_count=0, scan_count=30084654, drop_count=0, exec_time=1654719229, api_et=1654704780.000000000, api_lt=1654719180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704780.000000000, search_lt=1654719180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30084654, total_slices=1189387, decompressed_slices=472662, duration.command.search.index=11139, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77546, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13398657, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:13:27.094, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719120_753', total_run_time=29.62, event_count=0, result_count=0, available_count=0, scan_count=30084290, drop_count=0, exec_time=1654719169, api_et=1654704720.000000000, api_lt=1654719120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704720.000000000, search_lt=1654719120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3191", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30084290, total_slices=1187263, decompressed_slices=472643, duration.command.search.index=10993, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78652, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13393328, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:12:31.018, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719060_735', total_run_time=29.19, event_count=0, result_count=0, available_count=0, scan_count=30083361, drop_count=0, exec_time=1654719110, api_et=1654704660.000000000, api_lt=1654719060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704660.000000000, search_lt=1654719060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30083361, total_slices=1185335, decompressed_slices=472559, duration.command.search.index=11787, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84993, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13387544, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:12:30.997, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654719060_717', total_run_time=5.40, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654719064, api_et=1654715460.000000000, api_lt=1654719060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654715460.000000000, search_lt=1654719067.264997000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3324", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d0aa3df2dfc2fd98", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=35, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:12:29.799, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654719000_710', total_run_time=32.58, event_count=0, result_count=0, available_count=0, scan_count=30080818, drop_count=0, exec_time=1654719050, api_et=1654704600.000000000, api_lt=1654719000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704600.000000000, search_lt=1654719000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30080818, total_slices=1183291, decompressed_slices=472489, duration.command.search.index=11827, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84830, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13384027, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:10:27.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718940_691', total_run_time=32.84, event_count=0, result_count=0, available_count=0, scan_count=30080061, drop_count=0, exec_time=1654718989, api_et=1654704540.000000000, api_lt=1654718940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704540.000000000, search_lt=1654718940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30080061, total_slices=1181235, decompressed_slices=472463, duration.command.search.index=10684, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80359, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13379453, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:09:44.283, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654718940_683', total_run_time=18.36, event_count=0, result_count=0, available_count=0, scan_count=5008705, drop_count=0, exec_time=1654718945, api_et=1654714740.000000000, api_lt=1654718340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654714740.000000000, search_lt=1654718340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_05e1a15673ad7eec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=822, eliminated_buckets=403, considered_events=5008705, total_slices=1087802, decompressed_slices=238792, duration.command.search.index=2081, invocations.command.search.index.bucketcache.hit=821, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37687, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=236, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:09:44.213, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654718820_654', total_run_time=5.99, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654718846, api_et=1654715220.000000000, api_lt=1654718820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654715220.000000000, search_lt=1654718848.325339000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba9e34721f63fb70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=992, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 20:09:44.168, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718760_639', total_run_time=21.56, event_count=0, result_count=0, available_count=0, scan_count=30057667, drop_count=0, exec_time=1654718810, api_et=1654704360.000000000, api_lt=1654718760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704360.000000000, search_lt=1654718760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3407", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=30057667, total_slices=1201402, decompressed_slices=472218, duration.command.search.index=11703, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79020, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13363466, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:09:44.067, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718700_625', total_run_time=25.24, event_count=0, result_count=0, available_count=0, scan_count=30047501, drop_count=0, exec_time=1654718749, api_et=1654704300.000000000, api_lt=1654718700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704300.000000000, search_lt=1654718700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3318", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=30047501, total_slices=1199287, decompressed_slices=472104, duration.command.search.index=11262, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79383, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13357903, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:09:43.793, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654718820_662', total_run_time=19.92, event_count=1159, result_count=57, available_count=0, scan_count=558403, drop_count=0, exec_time=1654718880, api_et=1654715220.000000000, api_lt=1654718820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654715220.000000000, search_lt=1654718882.667818000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=197, considered_events=562951, total_slices=645031, decompressed_slices=149631, duration.command.search.index=4407, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=42521, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=448058, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=43892, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 20:09:42.590, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718880_675', total_run_time=34.59, event_count=0, result_count=0, available_count=0, scan_count=30075828, drop_count=0, exec_time=1654718929, api_et=1654704480.000000000, api_lt=1654718880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704480.000000000, search_lt=1654718880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30075828, total_slices=1179284, decompressed_slices=472404, duration.command.search.index=11511, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78787, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13375075, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:09:41.376, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718820_659', total_run_time=35.63, event_count=0, result_count=0, available_count=0, scan_count=30066593, drop_count=0, exec_time=1654718870, api_et=1654704420.000000000, api_lt=1654718820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704420.000000000, search_lt=1654718820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=120, eliminated_buckets=0, considered_events=30066593, total_slices=1177050, decompressed_slices=472240, duration.command.search.index=12499, invocations.command.search.index.bucketcache.hit=120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83557, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13367744, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:05:55.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718640_608', total_run_time=46.28, event_count=0, result_count=0, available_count=0, scan_count=30035194, drop_count=0, exec_time=1654718690, api_et=1654704240.000000000, api_lt=1654718640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704240.000000000, search_lt=1654718640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2970", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=30035194, total_slices=1223399, decompressed_slices=471954, duration.command.search.index=12211, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89968, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13351537, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:03:56.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718520_522', total_run_time=59.14, event_count=0, result_count=0, available_count=0, scan_count=30007763, drop_count=0, exec_time=1654718569, api_et=1654704120.000000000, api_lt=1654718520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704120.000000000, search_lt=1654718520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=30007763, total_slices=1218950, decompressed_slices=471442, duration.command.search.index=15614, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=129711, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13333907, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 20:01:56.107, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654718400_463', total_run_time=65.72, event_count=0, result_count=0, available_count=0, scan_count=29991117, drop_count=0, exec_time=1654718449, api_et=1654704000.000000000, api_lt=1654718400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704000.000000000, search_lt=1654718400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=29991117, total_slices=1214758, decompressed_slices=471124, duration.command.search.index=19240, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223193, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13321307, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 19:44:18.046, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654717380_164', total_run_time=29.52, event_count=0, result_count=0, available_count=0, scan_count=4640, drop_count=0, exec_time=1654717418, api_et=1654713780.000000000, api_lt=1654717380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654713780.000000000, search_lt=1654717420.493589000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2847", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e33ee1e07ccf8c9d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=116, eliminated_buckets=0, considered_events=4640, total_slices=969385, decompressed_slices=1369, duration.command.search.index=1238, invocations.command.search.index.bucketcache.hit=116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4964, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 19:34:33.667, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654716780_99958', total_run_time=44.99, event_count=0, result_count=0, available_count=0, scan_count=41710095, drop_count=0, exec_time=1654716805, api_et=1654713180.000000000, api_lt=1654716780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654713180.000000000, search_lt=1654716807.349541000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3bde281cf3ecaef", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1968, eliminated_buckets=137, considered_events=41710095, total_slices=14242170, decompressed_slices=4095492, duration.command.search.index=14932, invocations.command.search.index.bucketcache.hit=1952, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=238358, invocations.command.search.rawdata.bucketcache.hit=309, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 19:16:32.583, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654715760_99618', total_run_time=11.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654715771, api_et=1654711560.000000000, api_lt=1654715160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654712160.000000000, search_lt=1654715772.801015000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3286", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_05be6fa0049a44d6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1092, eliminated_buckets=387, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=854, invocations.command.search.index.bucketcache.hit=1091, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 19:14:32.862, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654715640_99578', total_run_time=5.46, event_count=0, result_count=0, available_count=0, scan_count=16086, drop_count=0, exec_time=1654715664, api_et=1654712040.000000000, api_lt=1654715640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654712040.000000000, search_lt=1654715665.905529000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=284, considered_events=16197, total_slices=468921, decompressed_slices=5627, duration.command.search.index=1373, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6465, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=101, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=645, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1639, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=384, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=9, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=935, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 19:13:01.233, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654715460_99511', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654715464, api_et=1654711860.000000000, api_lt=1654715460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654711860.000000000, search_lt=1654715466.764069000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2991", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ab2e7c4d263f83e0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=50, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=36, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 19:09:44.662, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654715340_99479', total_run_time=18.39, event_count=0, result_count=0, available_count=0, scan_count=5305928, drop_count=0, exec_time=1654715345, api_et=1654711140.000000000, api_lt=1654714740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654711140.000000000, search_lt=1654714740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3199", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0b107c8a656d4a68", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=829, eliminated_buckets=409, considered_events=5305928, total_slices=1139932, decompressed_slices=248344, duration.command.search.index=2111, invocations.command.search.index.bucketcache.hit=826, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39088, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=203, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 19:08:44.851, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654715220_99466', total_run_time=25.46, event_count=1176, result_count=61, available_count=0, scan_count=584144, drop_count=0, exec_time=1654715284, api_et=1654711620.000000000, api_lt=1654715220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654711620.000000000, search_lt=1654715286.296915000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=198, considered_events=587610, total_slices=590062, decompressed_slices=152239, duration.command.search.index=4458, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=46690, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=11, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=460358, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=45989, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 19:07:44.707, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654715220_99455', total_run_time=8.38, event_count=0, result_count=0, available_count=0, scan_count=4, drop_count=0, exec_time=1654715246, api_et=1654711620.000000000, api_lt=1654715220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654711620.000000000, search_lt=1654715248.651167000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2942", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c1defed3729c7712", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=198, considered_events=4, total_slices=23443, decompressed_slices=4, duration.command.search.index=1036, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=640, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:44:34.792, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654713780_98983', total_run_time=49.93, event_count=0, result_count=0, available_count=0, scan_count=4144, drop_count=0, exec_time=1654713818, api_et=1654710180.000000000, api_lt=1654713780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654710180.000000000, search_lt=1654713820.678470000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2896", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_890860444153c11f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=116, eliminated_buckets=0, considered_events=4144, total_slices=879598, decompressed_slices=1259, duration.command.search.index=1546, invocations.command.search.index.bucketcache.hit=116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6030, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:34:34.539, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654713180_98773', total_run_time=45.52, event_count=0, result_count=0, available_count=0, scan_count=42130643, drop_count=0, exec_time=1654713205, api_et=1654709580.000000000, api_lt=1654713180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654709580.000000000, search_lt=1654713207.386981000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3921", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d389efaad72d21fb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1913, eliminated_buckets=137, considered_events=42130643, total_slices=14126412, decompressed_slices=4171259, duration.command.search.index=15366, invocations.command.search.index.bucketcache.hit=1912, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=246285, invocations.command.search.rawdata.bucketcache.hit=295, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:16:43.759, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654712160_98421', total_run_time=18.79, event_count=0, result_count=0, available_count=0, scan_count=16, drop_count=0, exec_time=1654712170, api_et=1654707960.000000000, api_lt=1654711560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654708560.000000000, search_lt=1654712172.175271000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3314", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fd146f71e0946167", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1090, eliminated_buckets=388, considered_events=16, total_slices=1463, decompressed_slices=1, duration.command.search.index=724, invocations.command.search.index.bucketcache.hit=1090, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:14:43.728, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654712040_98381', total_run_time=7.55, event_count=0, result_count=0, available_count=0, scan_count=16034, drop_count=0, exec_time=1654712063, api_et=1654708440.000000000, api_lt=1654712040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654708440.000000000, search_lt=1654712065.648245000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=284, considered_events=16048, total_slices=421568, decompressed_slices=5230, duration.command.search.index=1536, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7138, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=629, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1627, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=382, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=704, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 18:12:48.115, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654711860_98315', total_run_time=5.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654711865, api_et=1654708260.000000000, api_lt=1654711860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654708260.000000000, search_lt=1654711867.972597000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3281", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aba99cbe6e434d4c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=49, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=39, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:10:06.253, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654711740_98281', total_run_time=20.52, event_count=0, result_count=0, available_count=0, scan_count=5038516, drop_count=0, exec_time=1654711745, api_et=1654707540.000000000, api_lt=1654711140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654707540.000000000, search_lt=1654711140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8f5070d9ec205d68", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=825, eliminated_buckets=403, considered_events=5038516, total_slices=1082305, decompressed_slices=239230, duration.command.search.index=2162, invocations.command.search.index.bucketcache.hit=822, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=40196, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=133, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:10:05.347, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654711620_98255', total_run_time=8.10, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654711646, api_et=1654708020.000000000, api_lt=1654711620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654708020.000000000, search_lt=1654711647.889327000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_92e30d76f8b49edd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1261, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 18:10:05.056, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654711620_98266', total_run_time=25.92, event_count=1246, result_count=60, available_count=0, scan_count=576205, drop_count=0, exec_time=1654711684, api_et=1654708020.000000000, api_lt=1654711620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654708020.000000000, search_lt=1654711686.675503000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=202, considered_events=581502, total_slices=566073, decompressed_slices=157437, duration.command.search.index=6313, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64560, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=453511, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46528, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 17:45:13.397, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654710180_97787', total_run_time=70.04, event_count=0, result_count=0, available_count=0, scan_count=4008, drop_count=0, exec_time=1654710218, api_et=1654706580.000000000, api_lt=1654710180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654706580.000000000, search_lt=1654710223.830306000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="6446", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5f9375141f1e2a81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=4008, total_slices=685125, decompressed_slices=1220, duration.command.search.index=1674, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6936, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:34:31.259, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654709580_97571', total_run_time=38.26, event_count=0, result_count=0, available_count=0, scan_count=42372741, drop_count=0, exec_time=1654709606, api_et=1654705980.000000000, api_lt=1654709580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654705980.000000000, search_lt=1654709608.563153000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bd075753c01c96e9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1931, eliminated_buckets=137, considered_events=42372741, total_slices=14321465, decompressed_slices=4181848, duration.command.search.index=16095, invocations.command.search.index.bucketcache.hit=1931, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=239295, invocations.command.search.rawdata.bucketcache.hit=316, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:20:19.012, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654708560_97200', total_run_time=10.23, event_count=0, result_count=0, available_count=0, scan_count=11, drop_count=0, exec_time=1654708571, api_et=1654704360.000000000, api_lt=1654707960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704960.000000000, search_lt=1654708572.885732000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3971", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_53e4df0daedcc32c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1095, eliminated_buckets=390, considered_events=11, total_slices=2678, decompressed_slices=1, duration.command.search.index=849, invocations.command.search.index.bucketcache.hit=1094, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=148, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:15:02.044, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654708440_97159', total_run_time=12.19, event_count=0, result_count=0, available_count=0, scan_count=18244, drop_count=0, exec_time=1654708463, api_et=1654704840.000000000, api_lt=1654708440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704840.000000000, search_lt=1654708464.961056000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2845", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=434, eliminated_buckets=292, considered_events=18336, total_slices=548368, decompressed_slices=5668, duration.command.search.index=1672, invocations.command.search.index.bucketcache.hit=434, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7136, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=73, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=635, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1663, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=401, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=14, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=661, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=15, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 17:11:56.311, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654708260_97093', total_run_time=4.93, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654708265, api_et=1654704660.000000000, api_lt=1654708260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704660.000000000, search_lt=1654708267.276716000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2961", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f5130ad83441cbb4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=51, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=41, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:09:32.081, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654708140_97049', total_run_time=20.83, event_count=1, result_count=1, available_count=0, scan_count=5349703, drop_count=0, exec_time=1654708145, api_et=1654703940.000000000, api_lt=1654707540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654703940.000000000, search_lt=1654707540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3206", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fda26d45a7aae657", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=800, eliminated_buckets=388, considered_events=5349703, total_slices=1109275, decompressed_slices=243841, duration.command.search.index=2096, invocations.command.search.index.bucketcache.hit=800, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38691, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=141, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:08:32.162, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654708020_97036', total_run_time=24.28, event_count=1242, result_count=71, available_count=0, scan_count=579739, drop_count=0, exec_time=1654708085, api_et=1654704420.000000000, api_lt=1654708020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704420.000000000, search_lt=1654708087.050761000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=435, eliminated_buckets=216, considered_events=585936, total_slices=646267, decompressed_slices=145320, duration.command.search.index=5616, invocations.command.search.index.bucketcache.hit=435, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49620, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=455829, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 17:07:51.755, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654708020_97024', total_run_time=10.74, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654708046, api_et=1654704420.000000000, api_lt=1654708020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654704420.000000000, search_lt=1654708048.655430000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2857", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3089fd95facbc212", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=435, eliminated_buckets=216, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1133, invocations.command.search.index.bucketcache.hit=435, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 17:01:05.938, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707540_96823', total_run_time=59.53, event_count=0, result_count=0, available_count=0, scan_count=28851705, drop_count=0, exec_time=1654707591, api_et=1654693140.000000000, api_lt=1654707540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693140.000000000, search_lt=1654707540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3319", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=28851705, total_slices=1201458, decompressed_slices=433881, duration.command.search.index=11304, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91995, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12098729, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:59:35.831, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707480_96810', total_run_time=39.12, event_count=0, result_count=0, available_count=0, scan_count=28845649, drop_count=0, exec_time=1654707530, api_et=1654693080.000000000, api_lt=1654707480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693080.000000000, search_lt=1654707480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3126", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=28845649, total_slices=1199533, decompressed_slices=433674, duration.command.search.index=10958, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81336, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12095611, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:58:35.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707420_96793', total_run_time=30.60, event_count=0, result_count=0, available_count=0, scan_count=28837917, drop_count=0, exec_time=1654707469, api_et=1654693020.000000000, api_lt=1654707420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693020.000000000, search_lt=1654707420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=28837917, total_slices=1223858, decompressed_slices=433506, duration.command.search.index=10720, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79862, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12092107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:57:35.863, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707360_96774', total_run_time=23.19, event_count=0, result_count=0, available_count=0, scan_count=28830182, drop_count=0, exec_time=1654707409, api_et=1654692960.000000000, api_lt=1654707360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692960.000000000, search_lt=1654707360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2554", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=28830182, total_slices=1221522, decompressed_slices=433310, duration.command.search.index=10496, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73449, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12086077, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:56:35.752, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707300_96763', total_run_time=33.12, event_count=0, result_count=0, available_count=0, scan_count=28825340, drop_count=0, exec_time=1654707349, api_et=1654692900.000000000, api_lt=1654707300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692900.000000000, search_lt=1654707300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=28825340, total_slices=1219758, decompressed_slices=432897, duration.command.search.index=11028, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80300, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12081142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:55:35.672, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707240_96746', total_run_time=36.63, event_count=0, result_count=0, available_count=0, scan_count=28818160, drop_count=0, exec_time=1654707289, api_et=1654692840.000000000, api_lt=1654707240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692840.000000000, search_lt=1654707240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=28818160, total_slices=1217039, decompressed_slices=432838, duration.command.search.index=11694, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79969, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12075273, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:54:35.733, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707180_96730', total_run_time=35.56, event_count=0, result_count=0, available_count=0, scan_count=28809738, drop_count=0, exec_time=1654707229, api_et=1654692780.000000000, api_lt=1654707180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692780.000000000, search_lt=1654707180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3164", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=28809738, total_slices=1215079, decompressed_slices=432626, duration.command.search.index=10939, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77779, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12069884, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:53:26.187, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707120_96706', total_run_time=35.28, event_count=0, result_count=0, available_count=0, scan_count=28800046, drop_count=0, exec_time=1654707169, api_et=1654692720.000000000, api_lt=1654707120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692720.000000000, search_lt=1654707120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=28800046, total_slices=1212961, decompressed_slices=432375, duration.command.search.index=11468, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84109, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12065102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:53:07.315, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707000_96664', total_run_time=49.75, event_count=0, result_count=0, available_count=0, scan_count=28783349, drop_count=0, exec_time=1654707049, api_et=1654692600.000000000, api_lt=1654707000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692600.000000000, search_lt=1654707000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3117", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28783349, total_slices=1209054, decompressed_slices=431852, duration.command.search.index=13361, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87501, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12052441, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:53:06.166, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654707060_96689', total_run_time=34.36, event_count=0, result_count=0, available_count=0, scan_count=28791136, drop_count=0, exec_time=1654707109, api_et=1654692660.000000000, api_lt=1654707060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692660.000000000, search_lt=1654707060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2807", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=1, considered_events=28791136, total_slices=1210880, decompressed_slices=432131, duration.command.search.index=12060, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85834, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12060599, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:50:56.003, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706940_96627', total_run_time=44.98, event_count=0, result_count=0, available_count=0, scan_count=28776410, drop_count=0, exec_time=1654706989, api_et=1654692540.000000000, api_lt=1654706940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692540.000000000, search_lt=1654706940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3212", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28776410, total_slices=1206783, decompressed_slices=431721, duration.command.search.index=11042, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88323, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12048484, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:49:56.006, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706880_96605', total_run_time=37.11, event_count=0, result_count=0, available_count=0, scan_count=28771014, drop_count=0, exec_time=1654706930, api_et=1654692480.000000000, api_lt=1654706880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692480.000000000, search_lt=1654706880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3114", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28771014, total_slices=1204842, decompressed_slices=431479, duration.command.search.index=11290, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83618, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12045465, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:48:30.571, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706820_96588', total_run_time=34.13, event_count=0, result_count=0, available_count=0, scan_count=28766966, drop_count=0, exec_time=1654706870, api_et=1654692420.000000000, api_lt=1654706820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692420.000000000, search_lt=1654706820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3271", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28766966, total_slices=1228933, decompressed_slices=431260, duration.command.search.index=10409, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81022, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12042172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:48:30.282, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706700_96548', total_run_time=29.19, event_count=0, result_count=0, available_count=0, scan_count=28756293, drop_count=0, exec_time=1654706751, api_et=1654692300.000000000, api_lt=1654706700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692300.000000000, search_lt=1654706700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3459", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28756293, total_slices=1224797, decompressed_slices=430894, duration.command.search.index=10136, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78604, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12032891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:48:26.899, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706760_96566', total_run_time=22.84, event_count=0, result_count=0, available_count=0, scan_count=28758514, drop_count=0, exec_time=1654706810, api_et=1654692360.000000000, api_lt=1654706760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692360.000000000, search_lt=1654706760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3079", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=28758514, total_slices=1226850, decompressed_slices=431052, duration.command.search.index=10469, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73285, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12038245, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:45:41.436, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706640_96526', total_run_time=35.64, event_count=0, result_count=0, available_count=0, scan_count=28770230, drop_count=0, exec_time=1654706689, api_et=1654692240.000000000, api_lt=1654706640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692240.000000000, search_lt=1654706640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28770230, total_slices=1273740, decompressed_slices=430890, duration.command.search.index=10789, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78025, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12027291, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:44:31.023, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654706580_96502', total_run_time=44.51, event_count=0, result_count=0, available_count=0, scan_count=2907, drop_count=0, exec_time=1654706618, api_et=1654702980.000000000, api_lt=1654706580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654702980.000000000, search_lt=1654706620.426866000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2942", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3729402155411b0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=2907, total_slices=628910, decompressed_slices=863, duration.command.search.index=1385, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5051, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:44:30.874, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706580_96505', total_run_time=37.90, event_count=0, result_count=0, available_count=0, scan_count=28784080, drop_count=0, exec_time=1654706629, api_et=1654692180.000000000, api_lt=1654706580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692180.000000000, search_lt=1654706580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3574", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28784080, total_slices=1271854, decompressed_slices=430776, duration.command.search.index=10823, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78073, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12024190, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:44:10.748, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706520_96477', total_run_time=39.33, event_count=0, result_count=0, available_count=0, scan_count=28803825, drop_count=0, exec_time=1654706569, api_et=1654692120.000000000, api_lt=1654706520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692120.000000000, search_lt=1654706520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28803825, total_slices=1296109, decompressed_slices=430742, duration.command.search.index=12235, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86669, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12021501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:44:10.664, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706340_96396', total_run_time=59.83, event_count=0, result_count=0, available_count=0, scan_count=28838608, drop_count=0, exec_time=1654706390, api_et=1654691940.000000000, api_lt=1654706340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691940.000000000, search_lt=1654706340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28838608, total_slices=1290004, decompressed_slices=430240, duration.command.search.index=11944, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97525, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12000784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:44:09.483, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706460_96454', total_run_time=38.67, event_count=0, result_count=0, available_count=0, scan_count=28813230, drop_count=0, exec_time=1654706510, api_et=1654692060.000000000, api_lt=1654706460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692060.000000000, search_lt=1654706460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28813230, total_slices=1294344, decompressed_slices=430628, duration.command.search.index=13158, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96654, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12015373, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:39:46.683, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706280_96379', total_run_time=35.95, event_count=0, result_count=0, available_count=0, scan_count=28848016, drop_count=0, exec_time=1654706330, api_et=1654691880.000000000, api_lt=1654706280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691880.000000000, search_lt=1654706280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3038", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28848016, total_slices=1288063, decompressed_slices=430072, duration.command.search.index=10885, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77650, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11994552, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:39:17.233, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706220_96366', total_run_time=39.28, event_count=0, result_count=0, available_count=0, scan_count=28857526, drop_count=0, exec_time=1654706270, api_et=1654691820.000000000, api_lt=1654706220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691820.000000000, search_lt=1654706220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2697", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28857526, total_slices=1285017, decompressed_slices=429930, duration.command.search.index=10804, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75565, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11987831, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:39:16.374, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706160_96351', total_run_time=37.76, event_count=0, result_count=0, available_count=0, scan_count=28867298, drop_count=0, exec_time=1654706210, api_et=1654691760.000000000, api_lt=1654706160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691760.000000000, search_lt=1654706160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28867298, total_slices=1283928, decompressed_slices=429937, duration.command.search.index=10996, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77761, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11979926, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:39:16.311, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654706040_96321', total_run_time=84.29, event_count=0, result_count=0, available_count=0, scan_count=28871925, drop_count=0, exec_time=1654706090, api_et=1654691640.000000000, api_lt=1654706040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691640.000000000, search_lt=1654706040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2911", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28871925, total_slices=1279852, decompressed_slices=429520, duration.command.search.index=14629, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92469, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11961710, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:34:36.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705920_96250', total_run_time=91.35, event_count=0, result_count=0, available_count=0, scan_count=28882783, drop_count=0, exec_time=1654705969, api_et=1654691520.000000000, api_lt=1654705920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691520.000000000, search_lt=1654705920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3413", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28882783, total_slices=1275482, decompressed_slices=429215, duration.command.search.index=16286, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116740, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11942126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:34:05.544, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654705980_96274', total_run_time=37.69, event_count=0, result_count=0, available_count=0, scan_count=42430213, drop_count=0, exec_time=1654706006, api_et=1654702380.000000000, api_lt=1654705980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654702380.000000000, search_lt=1654706008.718950000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3972", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_25066523493255e5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1918, eliminated_buckets=137, considered_events=42430213, total_slices=14103290, decompressed_slices=4185621, duration.command.search.index=20074, invocations.command.search.index.bucketcache.hit=1918, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230700, invocations.command.search.rawdata.bucketcache.hit=297, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:33:05.891, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705800_96194', total_run_time=108.35, event_count=0, result_count=0, available_count=0, scan_count=28898302, drop_count=0, exec_time=1654705850, api_et=1654691400.000000000, api_lt=1654705800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691400.000000000, search_lt=1654705800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3113", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28898302, total_slices=1271370, decompressed_slices=428964, duration.command.search.index=19593, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=146781, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11923428, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:30:05.568, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705680_96139', total_run_time=59.25, event_count=0, result_count=0, available_count=0, scan_count=28916260, drop_count=0, exec_time=1654705730, api_et=1654691280.000000000, api_lt=1654705680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691280.000000000, search_lt=1654705680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=28916260, total_slices=1267367, decompressed_slices=428892, duration.command.search.index=12893, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89356, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11906381, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:29:05.859, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705620_96124', total_run_time=55.68, event_count=0, result_count=0, available_count=0, scan_count=28928448, drop_count=0, exec_time=1654705669, api_et=1654691220.000000000, api_lt=1654705620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691220.000000000, search_lt=1654705620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28928448, total_slices=1291717, decompressed_slices=428766, duration.command.search.index=13217, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93162, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11899475, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:28:05.845, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705560_96105', total_run_time=53.08, event_count=0, result_count=0, available_count=0, scan_count=28941045, drop_count=0, exec_time=1654705609, api_et=1654691160.000000000, api_lt=1654705560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691160.000000000, search_lt=1654705560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=28941045, total_slices=1289746, decompressed_slices=428739, duration.command.search.index=12229, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97676, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11893933, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:27:05.836, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705500_96089', total_run_time=51.54, event_count=0, result_count=0, available_count=0, scan_count=28944878, drop_count=0, exec_time=1654705550, api_et=1654691100.000000000, api_lt=1654705500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691100.000000000, search_lt=1654705500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3186", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28944878, total_slices=1287732, decompressed_slices=428550, duration.command.search.index=12367, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103411, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11888516, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:25:35.664, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705440_96076', total_run_time=32.97, event_count=0, result_count=0, available_count=0, scan_count=28957981, drop_count=0, exec_time=1654705489, api_et=1654691040.000000000, api_lt=1654705440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691040.000000000, search_lt=1654705440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28957981, total_slices=1285627, decompressed_slices=428501, duration.command.search.index=11108, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80430, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11883787, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:24:35.707, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705380_96057', total_run_time=41.00, event_count=0, result_count=0, available_count=0, scan_count=28972096, drop_count=0, exec_time=1654705430, api_et=1654690980.000000000, api_lt=1654705380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690980.000000000, search_lt=1654705380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2830", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28972096, total_slices=1283578, decompressed_slices=428535, duration.command.search.index=11840, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83630, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11880258, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:24:06.014, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705320_96025', total_run_time=50.44, event_count=0, result_count=0, available_count=0, scan_count=28984314, drop_count=0, exec_time=1654705369, api_et=1654690920.000000000, api_lt=1654705320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690920.000000000, search_lt=1654705320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28984314, total_slices=1281638, decompressed_slices=428459, duration.command.search.index=12404, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92044, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11875410, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:22:35.794, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705260_96008', total_run_time=42.83, event_count=0, result_count=0, available_count=0, scan_count=28998799, drop_count=0, exec_time=1654705309, api_et=1654690860.000000000, api_lt=1654705260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690860.000000000, search_lt=1654705260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=28998799, total_slices=1279628, decompressed_slices=428329, duration.command.search.index=11971, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88071, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11871952, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:21:58.583, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654705200_95985', total_run_time=55.36, event_count=11867546, result_count=15, available_count=0, scan_count=29017280, drop_count=0, exec_time=1654705263, api_et=1654690800.000000000, api_lt=1654705200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690800.000000000, search_lt=1654705200.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="3227", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=29017280, total_slices=1277792, decompressed_slices=428332, duration.command.search.index=11957, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91496, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11867546, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:21:58.426, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705200_95979', total_run_time=55.31, event_count=0, result_count=0, available_count=0, scan_count=29017280, drop_count=0, exec_time=1654705251, api_et=1654690800.000000000, api_lt=1654705200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690800.000000000, search_lt=1654705200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3258", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=29017280, total_slices=1277563, decompressed_slices=428331, duration.command.search.index=12941, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99087, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11867546, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:21:06.004, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705140_95941', total_run_time=49.52, event_count=0, result_count=0, available_count=0, scan_count=29032997, drop_count=0, exec_time=1654705190, api_et=1654690740.000000000, api_lt=1654705140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690740.000000000, search_lt=1654705140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=29032997, total_slices=1275706, decompressed_slices=428221, duration.command.search.index=11800, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95976, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11861678, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:19:35.921, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705080_95916', total_run_time=45.42, event_count=0, result_count=0, available_count=0, scan_count=29048446, drop_count=0, exec_time=1654705130, api_et=1654690680.000000000, api_lt=1654705080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690680.000000000, search_lt=1654705080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=29048446, total_slices=1273677, decompressed_slices=428105, duration.command.search.index=14456, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104960, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11856500, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:18:39.320, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654705020_95895', total_run_time=48.62, event_count=0, result_count=0, available_count=0, scan_count=29067072, drop_count=0, exec_time=1654705070, api_et=1654690620.000000000, api_lt=1654705020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690620.000000000, search_lt=1654705020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3084", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=29067072, total_slices=1271560, decompressed_slices=428117, duration.command.search.index=11811, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95629, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11851623, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:18:12.504, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704960_95871', total_run_time=50.47, event_count=0, result_count=0, available_count=0, scan_count=29080930, drop_count=0, exec_time=1654705010, api_et=1654690560.000000000, api_lt=1654704960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690560.000000000, search_lt=1654704960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3124", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29080930, total_slices=1296093, decompressed_slices=428038, duration.command.search.index=12607, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97849, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11847525, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:16:38.372, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704900_95854', total_run_time=47.11, event_count=0, result_count=0, available_count=0, scan_count=29095952, drop_count=0, exec_time=1654704950, api_et=1654690500.000000000, api_lt=1654704900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690500.000000000, search_lt=1654704900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3102", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29095952, total_slices=1294064, decompressed_slices=427829, duration.command.search.index=11735, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95596, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11842476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:16:38.065, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654704960_95865', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654704971, api_et=1654700760.000000000, api_lt=1654704360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654701360.000000000, search_lt=1654704973.524942000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b590413295ae5066", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1095, eliminated_buckets=392, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=758, invocations.command.search.index.bucketcache.hit=1095, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:15:35.828, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704840_95834', total_run_time=35.49, event_count=0, result_count=0, available_count=0, scan_count=29111269, drop_count=0, exec_time=1654704889, api_et=1654690440.000000000, api_lt=1654704840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690440.000000000, search_lt=1654704840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29111269, total_slices=1292189, decompressed_slices=427681, duration.command.search.index=11447, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89477, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11837353, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:14:35.789, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654704840_95822', total_run_time=7.54, event_count=0, result_count=0, available_count=0, scan_count=14531, drop_count=0, exec_time=1654704863, api_et=1654701240.000000000, api_lt=1654704840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654701240.000000000, search_lt=1654704865.237833000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2792", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=429, eliminated_buckets=289, considered_events=14569, total_slices=818362, decompressed_slices=5727, duration.command.search.index=1649, invocations.command.search.index.bucketcache.hit=429, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7559, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=621, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1630, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=398, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=850, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=31, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 16:14:35.675, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704780_95812', total_run_time=39.31, event_count=0, result_count=0, available_count=0, scan_count=29127214, drop_count=0, exec_time=1654704830, api_et=1654690380.000000000, api_lt=1654704780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690380.000000000, search_lt=1654704780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2703", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29127214, total_slices=1289995, decompressed_slices=427576, duration.command.search.index=11895, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84665, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11832333, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:14:05.631, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704720_95785', total_run_time=53.75, event_count=0, result_count=0, available_count=0, scan_count=29143377, drop_count=0, exec_time=1654704769, api_et=1654690320.000000000, api_lt=1654704720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690320.000000000, search_lt=1654704720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2732", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29143377, total_slices=1288103, decompressed_slices=427552, duration.command.search.index=12346, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100550, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11828354, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:12:05.588, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704600_95743', total_run_time=66.29, event_count=0, result_count=0, available_count=0, scan_count=29173544, drop_count=0, exec_time=1654704649, api_et=1654690200.000000000, api_lt=1654704600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690200.000000000, search_lt=1654704600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=29173544, total_slices=1283981, decompressed_slices=427225, duration.command.search.index=14266, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102672, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11819628, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:11:55.112, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654704660_95750', total_run_time=4.85, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654704664, api_et=1654701060.000000000, api_lt=1654704660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654701060.000000000, search_lt=1654704666.750527000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2936", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3753a64c1489a836", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=54, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:11:06.056, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704540_95717', total_run_time=52.75, event_count=0, result_count=0, available_count=0, scan_count=29182878, drop_count=0, exec_time=1654704590, api_et=1654690140.000000000, api_lt=1654704540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690140.000000000, search_lt=1654704540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2803", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=1, considered_events=29182878, total_slices=1281983, decompressed_slices=427079, duration.command.search.index=12416, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113570, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11815585, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:09:51.749, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654704540_95709', total_run_time=23.03, event_count=0, result_count=0, available_count=0, scan_count=5130643, drop_count=0, exec_time=1654704545, api_et=1654700340.000000000, api_lt=1654703940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654700340.000000000, search_lt=1654703940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3182", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d9363beb39e8fe93", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=812, eliminated_buckets=400, considered_events=5130643, total_slices=1127851, decompressed_slices=239062, duration.command.search.index=2181, invocations.command.search.index.bucketcache.hit=812, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41313, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=95, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:09:51.678, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704480_95701', total_run_time=40.45, event_count=0, result_count=0, available_count=0, scan_count=29193521, drop_count=0, exec_time=1654704530, api_et=1654690080.000000000, api_lt=1654704480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690080.000000000, search_lt=1654704480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=29193521, total_slices=1306486, decompressed_slices=426970, duration.command.search.index=12288, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91473, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11808562, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:09:22.936, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704360_95663', total_run_time=54.93, event_count=0, result_count=0, available_count=0, scan_count=29200659, drop_count=0, exec_time=1654704410, api_et=1654689960.000000000, api_lt=1654704360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654689960.000000000, search_lt=1654704360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3211", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29200659, total_slices=1302306, decompressed_slices=426481, duration.command.search.index=13423, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105328, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11797523, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:09:21.801, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654704420_95687', total_run_time=31.91, event_count=1238, result_count=59, available_count=0, scan_count=589602, drop_count=0, exec_time=1654704480, api_et=1654700820.000000000, api_lt=1654704420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654700820.000000000, search_lt=1654704482.495089000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2943", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=437, eliminated_buckets=218, considered_events=594834, total_slices=705630, decompressed_slices=149016, duration.command.search.index=6663, invocations.command.search.index.bucketcache.hit=436, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56738, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=459127, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46170, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 16:09:20.934, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654704420_95679', total_run_time=10.96, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654704446, api_et=1654700820.000000000, api_lt=1654704420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654700820.000000000, search_lt=1654704448.499835000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2642aa99962f594f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=437, eliminated_buckets=218, considered_events=1, total_slices=1141, decompressed_slices=1, duration.command.search.index=1404, invocations.command.search.index.bucketcache.hit=436, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 16:09:20.902, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704420_95684', total_run_time=48.40, event_count=0, result_count=0, available_count=0, scan_count=29201623, drop_count=0, exec_time=1654704469, api_et=1654690020.000000000, api_lt=1654704420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690020.000000000, search_lt=1654704420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2915", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=29201623, total_slices=1304334, decompressed_slices=426762, duration.command.search.index=13679, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99795, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11803062, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:05:56.448, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704240_95633', total_run_time=64.77, event_count=0, result_count=0, available_count=0, scan_count=29182893, drop_count=0, exec_time=1654704289, api_et=1654689840.000000000, api_lt=1654704240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654689840.000000000, search_lt=1654704240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3004", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29182893, total_slices=1298327, decompressed_slices=426171, duration.command.search.index=16641, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=112873, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11785557, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:04:26.334, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704120_95547', total_run_time=89.65, event_count=0, result_count=0, available_count=0, scan_count=29168224, drop_count=0, exec_time=1654704169, api_et=1654689720.000000000, api_lt=1654704120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654689720.000000000, search_lt=1654704120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29168224, total_slices=1294244, decompressed_slices=425780, duration.command.search.index=18388, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=158146, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11778738, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 16:02:26.333, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654704000_95487', total_run_time=71.67, event_count=0, result_count=0, available_count=0, scan_count=29154548, drop_count=0, exec_time=1654704049, api_et=1654689600.000000000, api_lt=1654704000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654689600.000000000, search_lt=1654704000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=0, considered_events=29154548, total_slices=1316762, decompressed_slices=425189, duration.command.search.index=23082, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=210746, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11772808, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 15:44:20.940, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654702980_95174', total_run_time=33.25, event_count=0, result_count=0, available_count=0, scan_count=2975, drop_count=0, exec_time=1654703018, api_et=1654699380.000000000, api_lt=1654702980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654699380.000000000, search_lt=1654703019.963390000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_42aa2419acad40cf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=2975, total_slices=697052, decompressed_slices=879, duration.command.search.index=1235, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5015, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 15:34:20.569, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654702380_94955', total_run_time=39.59, event_count=0, result_count=0, available_count=0, scan_count=42568820, drop_count=0, exec_time=1654702405, api_et=1654698780.000000000, api_lt=1654702380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654698780.000000000, search_lt=1654702407.310531000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3998", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ccf418ea130804ac", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1927, eliminated_buckets=137, considered_events=42568820, total_slices=14111924, decompressed_slices=4171963, duration.command.search.index=14537, invocations.command.search.index.bucketcache.hit=1927, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232941, invocations.command.search.rawdata.bucketcache.hit=305, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 15:19:49.876, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654701360_94588', total_run_time=10.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654701371, api_et=1654697160.000000000, api_lt=1654700760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654697760.000000000, search_lt=1654701373.589486000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3882", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_25efd9c64e6ee572", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1096, eliminated_buckets=391, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1036, invocations.command.search.index.bucketcache.hit=1096, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 15:14:39.849, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654701240_94548', total_run_time=4.53, event_count=0, result_count=0, available_count=0, scan_count=18698, drop_count=0, exec_time=1654701263, api_et=1654697640.000000000, api_lt=1654701240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654697640.000000000, search_lt=1654701265.530316000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=291, considered_events=19190, total_slices=910668, decompressed_slices=4958, duration.command.search.index=1254, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6291, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=83, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=486, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1187, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=290, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=830, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=16, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 15:12:18.465, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654701060_94482', total_run_time=5.27, event_count=0, result_count=0, available_count=0, scan_count=13, drop_count=0, exec_time=1654701065, api_et=1654697460.000000000, api_lt=1654701060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654697460.000000000, search_lt=1654701067.529659000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3121", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_95b124117a62fe8c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=54, considered_events=13, total_slices=49054, decompressed_slices=8, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=441, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 15:09:39.947, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654700940_94435', total_run_time=19.48, event_count=0, result_count=0, available_count=0, scan_count=5041367, drop_count=0, exec_time=1654700945, api_et=1654696740.000000000, api_lt=1654700340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654696740.000000000, search_lt=1654700340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3130", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f158cf6305c5297e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=808, eliminated_buckets=398, considered_events=5041367, total_slices=1037866, decompressed_slices=237398, duration.command.search.index=1943, invocations.command.search.index.bucketcache.hit=805, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38015, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 15:08:40.061, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654700820_94417', total_run_time=16.64, event_count=1221, result_count=56, available_count=0, scan_count=539843, drop_count=0, exec_time=1654700880, api_et=1654697220.000000000, api_lt=1654700820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654697220.000000000, search_lt=1654700882.326937000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2779", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=205, considered_events=544695, total_slices=665042, decompressed_slices=144034, duration.command.search.index=4416, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37983, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=425122, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41911, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 15:07:39.998, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654700820_94412', total_run_time=5.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654700846, api_et=1654697220.000000000, api_lt=1654700820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654697220.000000000, search_lt=1654700848.479020000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e03e29ba64ae3ef2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=205, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=934, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:44:29.936, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654699380_93914', total_run_time=22.92, event_count=0, result_count=0, available_count=0, scan_count=3392, drop_count=0, exec_time=1654699418, api_et=1654695780.000000000, api_lt=1654699380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654695780.000000000, search_lt=1654699420.519710000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5c5b160c2839c207", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3392, total_slices=692163, decompressed_slices=972, duration.command.search.index=1215, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4971, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:34:06.691, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654698780_93694', total_run_time=36.86, event_count=0, result_count=0, available_count=0, scan_count=42440013, drop_count=0, exec_time=1654698806, api_et=1654695180.000000000, api_lt=1654698780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654695180.000000000, search_lt=1654698808.070448000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3498", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b7c6b62b24e085f5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1928, eliminated_buckets=137, considered_events=42440013, total_slices=14176210, decompressed_slices=4183914, duration.command.search.index=18543, invocations.command.search.index.bucketcache.hit=1928, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=228398, invocations.command.search.rawdata.bucketcache.hit=308, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:17:08.021, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654697760_93320', total_run_time=7.40, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654697770, api_et=1654693560.000000000, api_lt=1654697160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654694160.000000000, search_lt=1654697772.645833000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3544", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_85799e233075b59a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1097, eliminated_buckets=391, considered_events=1, total_slices=9297, decompressed_slices=1, duration.command.search.index=831, invocations.command.search.index.bucketcache.hit=1097, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:14:36.530, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654697640_93280', total_run_time=5.48, event_count=0, result_count=0, available_count=0, scan_count=14485, drop_count=0, exec_time=1654697663, api_et=1654694040.000000000, api_lt=1654697640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654694040.000000000, search_lt=1654697664.853010000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2765", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=286, considered_events=14485, total_slices=826142, decompressed_slices=3851, duration.command.search.index=1137, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6229, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=420, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=937, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=200, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=8, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=486, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=14, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 14:11:36.514, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654697460_93214', total_run_time=5.02, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654697464, api_et=1654693860.000000000, api_lt=1654697460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693860.000000000, search_lt=1654697466.390519000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2885", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4f63b5b03263b2c6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=53, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:09:36.441, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654697340_93170', total_run_time=19.24, event_count=0, result_count=0, available_count=0, scan_count=5146761, drop_count=0, exec_time=1654697346, api_et=1654693140.000000000, api_lt=1654696740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693140.000000000, search_lt=1654696740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3169", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e8d68c517d6506d0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=822, eliminated_buckets=409, considered_events=5146761, total_slices=1093556, decompressed_slices=237424, duration.command.search.index=2061, invocations.command.search.index.bucketcache.hit=820, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38846, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=200, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 14:08:36.430, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654697220_93156', total_run_time=21.01, event_count=1991, result_count=101, available_count=0, scan_count=539481, drop_count=0, exec_time=1654697285, api_et=1654693620.000000000, api_lt=1654697220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693620.000000000, search_lt=1654697287.052667000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=203, considered_events=545047, total_slices=605769, decompressed_slices=139274, duration.command.search.index=5494, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51762, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=426846, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=48374, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 14:07:36.726, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654697220_93145', total_run_time=7.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654697246, api_et=1654693620.000000000, api_lt=1654697220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654693620.000000000, search_lt=1654697248.840903000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2846", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0225eaa020061046", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=990, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:44:14.892, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654695780_92656', total_run_time=22.61, event_count=0, result_count=0, available_count=0, scan_count=4784, drop_count=0, exec_time=1654695818, api_et=1654692180.000000000, api_lt=1654695780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654692180.000000000, search_lt=1654695819.938444000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cde7efab5dabfbf8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=4784, total_slices=755521, decompressed_slices=1381, duration.command.search.index=1124, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4827, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:34:12.555, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654695180_92438', total_run_time=35.65, event_count=0, result_count=0, available_count=0, scan_count=42330245, drop_count=0, exec_time=1654695205, api_et=1654691580.000000000, api_lt=1654695180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654691580.000000000, search_lt=1654695207.853156000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4205", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0f4d0fe1af95c5b0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1907, eliminated_buckets=137, considered_events=42330245, total_slices=13931988, decompressed_slices=4146942, duration.command.search.index=14514, invocations.command.search.index.bucketcache.hit=1907, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=224144, invocations.command.search.rawdata.bucketcache.hit=284, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:19:08.701, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654694160_92074', total_run_time=8.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654694170, api_et=1654689960.000000000, api_lt=1654693560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690560.000000000, search_lt=1654694172.935616000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9083e9a96859cff6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1100, eliminated_buckets=389, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=697, invocations.command.search.index.bucketcache.hit=1100, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:14:40.589, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654694040_92034', total_run_time=4.40, event_count=0, result_count=0, available_count=0, scan_count=15378, drop_count=0, exec_time=1654694063, api_et=1654690440.000000000, api_lt=1654694040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690440.000000000, search_lt=1654694065.759163000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2846", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=285, considered_events=15434, total_slices=728353, decompressed_slices=3145, duration.command.search.index=1091, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5742, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=60, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=184, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=772, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=106, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=264, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=7, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 13:11:55.817, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654693860_91970', total_run_time=4.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654693865, api_et=1654690260.000000000, api_lt=1654693860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690260.000000000, search_lt=1654693867.421693000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2770", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_10aee4bbf5a7d2df", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=54, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=63, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:09:27.424, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654693620_91906', total_run_time=19.47, event_count=1824, result_count=96, available_count=0, scan_count=477920, drop_count=0, exec_time=1654693680, api_et=1654690020.000000000, api_lt=1654693620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690020.000000000, search_lt=1654693682.350471000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=486548, total_slices=522677, decompressed_slices=116225, duration.command.search.index=3551, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32318, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=381067, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=45524, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 13:09:26.114, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654693740_91925', total_run_time=18.30, event_count=0, result_count=0, available_count=0, scan_count=5096358, drop_count=0, exec_time=1654693745, api_et=1654689540.000000000, api_lt=1654693140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654689540.000000000, search_lt=1654693140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3170", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fcf81cb9355cdfb9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=797, eliminated_buckets=390, considered_events=5096358, total_slices=1085570, decompressed_slices=235603, duration.command.search.index=2319, invocations.command.search.index.bucketcache.hit=796, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37273, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=142, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:09:25.642, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654693620_91901', total_run_time=5.06, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654693646, api_et=1654690020.000000000, api_lt=1654693620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654690020.000000000, search_lt=1654693648.531476000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c5862d411da242f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=1, total_slices=6353, decompressed_slices=1, duration.command.search.index=848, invocations.command.search.index.bucketcache.hit=414, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=170, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 13:00:29.971, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654693140_91700', total_run_time=16.35, event_count=0, result_count=0, available_count=0, scan_count=26669302, drop_count=0, exec_time=1654693190, api_et=1654678740.000000000, api_lt=1654693140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678740.000000000, search_lt=1654693140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3185", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26669302, total_slices=1508725, decompressed_slices=395659, duration.command.search.index=8682, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68238, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11336145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:59:29.943, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654693080_91687', total_run_time=14.53, event_count=0, result_count=0, available_count=0, scan_count=26644884, drop_count=0, exec_time=1654693129, api_et=1654678680.000000000, api_lt=1654693080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678680.000000000, search_lt=1654693080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3357", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26644884, total_slices=1506817, decompressed_slices=395444, duration.command.search.index=8556, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62777, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11334184, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:58:28.962, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692960_91654', total_run_time=13.51, event_count=0, result_count=0, available_count=0, scan_count=26595170, drop_count=0, exec_time=1654693010, api_et=1654678560.000000000, api_lt=1654692960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678560.000000000, search_lt=1654692960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2666", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26595170, total_slices=1503029, decompressed_slices=394970, duration.command.search.index=8706, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62144, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11328188, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:58:28.943, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692900_91643', total_run_time=14.36, event_count=0, result_count=0, available_count=0, scan_count=26572364, drop_count=0, exec_time=1654692950, api_et=1654678500.000000000, api_lt=1654692900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678500.000000000, search_lt=1654692900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26572364, total_slices=1501194, decompressed_slices=394823, duration.command.search.index=8626, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62430, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11326579, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:58:28.439, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654693020_91672', total_run_time=14.12, event_count=0, result_count=0, available_count=0, scan_count=26622593, drop_count=0, exec_time=1654693070, api_et=1654678620.000000000, api_lt=1654693020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678620.000000000, search_lt=1654693020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2684", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26622593, total_slices=1504961, decompressed_slices=395222, duration.command.search.index=9115, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61489, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11332141, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:55:27.979, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692840_91626', total_run_time=16.24, event_count=0, result_count=0, available_count=0, scan_count=26553181, drop_count=0, exec_time=1654692889, api_et=1654678440.000000000, api_lt=1654692840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678440.000000000, search_lt=1654692840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2819", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26553181, total_slices=1499217, decompressed_slices=394706, duration.command.search.index=9617, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60023, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11326199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:54:14.968, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692780_91609', total_run_time=16.58, event_count=0, result_count=0, available_count=0, scan_count=26530731, drop_count=0, exec_time=1654692830, api_et=1654678380.000000000, api_lt=1654692780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678380.000000000, search_lt=1654692780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2923", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=26530731, total_slices=1497365, decompressed_slices=394490, duration.command.search.index=9342, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62730, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11325297, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:53:48.498, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692720_91585', total_run_time=15.86, event_count=0, result_count=0, available_count=0, scan_count=26508863, drop_count=0, exec_time=1654692769, api_et=1654678320.000000000, api_lt=1654692720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678320.000000000, search_lt=1654692720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26508863, total_slices=1495394, decompressed_slices=394245, duration.command.search.index=9272, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63803, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11323817, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:53:44.962, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692600_91543', total_run_time=16.41, event_count=0, result_count=0, available_count=0, scan_count=26466226, drop_count=0, exec_time=1654692649, api_et=1654678200.000000000, api_lt=1654692600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678200.000000000, search_lt=1654692600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3214", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26466226, total_slices=1517636, decompressed_slices=393925, duration.command.search.index=9209, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66512, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11321522, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:53:43.720, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692660_91568', total_run_time=15.65, event_count=0, result_count=0, available_count=0, scan_count=26486421, drop_count=0, exec_time=1654692709, api_et=1654678260.000000000, api_lt=1654692660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678260.000000000, search_lt=1654692660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26486421, total_slices=1519428, decompressed_slices=394045, duration.command.search.index=9487, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63441, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11321481, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:50:12.276, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692540_91508', total_run_time=15.94, event_count=0, result_count=0, available_count=0, scan_count=26447020, drop_count=0, exec_time=1654692592, api_et=1654678140.000000000, api_lt=1654692540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678140.000000000, search_lt=1654692540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26447020, total_slices=1515785, decompressed_slices=393768, duration.command.search.index=8735, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66801, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11320588, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:49:12.210, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692480_91487', total_run_time=14.92, event_count=0, result_count=0, available_count=0, scan_count=26424437, drop_count=0, exec_time=1654692530, api_et=1654678080.000000000, api_lt=1654692480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678080.000000000, search_lt=1654692480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26424437, total_slices=1513754, decompressed_slices=393614, duration.command.search.index=9138, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62941, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11318530, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:48:22.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692420_91471', total_run_time=14.29, event_count=0, result_count=0, available_count=0, scan_count=26400811, drop_count=0, exec_time=1654692470, api_et=1654678020.000000000, api_lt=1654692420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678020.000000000, search_lt=1654692420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3251", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=26400811, total_slices=1538106, decompressed_slices=393344, duration.command.search.index=8823, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64390, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11316244, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:47:12.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692360_91450', total_run_time=15.22, event_count=0, result_count=0, available_count=0, scan_count=26375462, drop_count=0, exec_time=1654692409, api_et=1654677960.000000000, api_lt=1654692360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677960.000000000, search_lt=1654692360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3006", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=26375462, total_slices=1536078, decompressed_slices=393139, duration.command.search.index=8914, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61523, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313605, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:46:12.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692300_91432', total_run_time=15.79, event_count=0, result_count=0, available_count=0, scan_count=26349267, drop_count=0, exec_time=1654692350, api_et=1654677900.000000000, api_lt=1654692300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677900.000000000, search_lt=1654692300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=26349267, total_slices=1534286, decompressed_slices=392933, duration.command.search.index=9055, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62457, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313591, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:45:12.035, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692240_91409', total_run_time=14.49, event_count=0, result_count=0, available_count=0, scan_count=26307887, drop_count=0, exec_time=1654692289, api_et=1654677840.000000000, api_lt=1654692240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677840.000000000, search_lt=1654692240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=26307887, total_slices=1531775, decompressed_slices=392595, duration.command.search.index=8970, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61485, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11314511, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:44:12.461, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654692180_91385', total_run_time=21.25, event_count=0, result_count=0, available_count=0, scan_count=3529, drop_count=0, exec_time=1654692218, api_et=1654688580.000000000, api_lt=1654692180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654688580.000000000, search_lt=1654692219.969696000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_681d8d226cfb3a5e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=3529, total_slices=808893, decompressed_slices=952, duration.command.search.index=1102, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4862, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:44:12.377, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692180_91388', total_run_time=14.48, event_count=0, result_count=0, available_count=0, scan_count=26260785, drop_count=0, exec_time=1654692229, api_et=1654677780.000000000, api_lt=1654692180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677780.000000000, search_lt=1654692180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3010", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=26260785, total_slices=1530133, decompressed_slices=392539, duration.command.search.index=8739, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63250, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11311795, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:43:11.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692120_91361', total_run_time=16.12, event_count=0, result_count=0, available_count=0, scan_count=26213721, drop_count=0, exec_time=1654692169, api_et=1654677720.000000000, api_lt=1654692120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677720.000000000, search_lt=1654692120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=26213721, total_slices=1527994, decompressed_slices=392143, duration.command.search.index=9049, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64773, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11308838, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:42:48.889, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692060_91338', total_run_time=13.67, event_count=0, result_count=0, available_count=0, scan_count=26166766, drop_count=0, exec_time=1654692109, api_et=1654677660.000000000, api_lt=1654692060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677660.000000000, search_lt=1654692060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=26166766, total_slices=1525810, decompressed_slices=391841, duration.command.search.index=9197, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61240, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11307135, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:42:48.068, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654692000_91313', total_run_time=16.06, event_count=0, result_count=0, available_count=0, scan_count=26119280, drop_count=0, exec_time=1654692049, api_et=1654677600.000000000, api_lt=1654692000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677600.000000000, search_lt=1654692000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=26119280, total_slices=1523796, decompressed_slices=391614, duration.command.search.index=9661, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64810, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11307246, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:40:12.301, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691940_91278', total_run_time=16.39, event_count=0, result_count=0, available_count=0, scan_count=26078691, drop_count=0, exec_time=1654691990, api_et=1654677540.000000000, api_lt=1654691940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677540.000000000, search_lt=1654691940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2793", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=26078691, total_slices=1547656, decompressed_slices=391296, duration.command.search.index=8783, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65383, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11309059, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:39:50.147, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691700_91221', total_run_time=13.47, event_count=0, result_count=0, available_count=0, scan_count=25906976, drop_count=0, exec_time=1654691750, api_et=1654677300.000000000, api_lt=1654691700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677300.000000000, search_lt=1654691700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=25906976, total_slices=1539299, decompressed_slices=390155, duration.command.search.index=9142, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61216, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11310328, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:39:48.912, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691880_91261', total_run_time=14.61, event_count=0, result_count=0, available_count=0, scan_count=26034992, drop_count=0, exec_time=1654691929, api_et=1654677480.000000000, api_lt=1654691880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677480.000000000, search_lt=1654691880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2693", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=26034992, total_slices=1545525, decompressed_slices=391008, duration.command.search.index=9016, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60572, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11308589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:39:48.807, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691760_91231', total_run_time=14.10, event_count=0, result_count=0, available_count=0, scan_count=25950181, drop_count=0, exec_time=1654691809, api_et=1654677360.000000000, api_lt=1654691760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677360.000000000, search_lt=1654691760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2710", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=25950181, total_slices=1541361, decompressed_slices=390320, duration.command.search.index=9052, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59255, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11309535, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:39:48.779, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691820_91246', total_run_time=13.70, event_count=0, result_count=0, available_count=0, scan_count=25991476, drop_count=0, exec_time=1654691870, api_et=1654677420.000000000, api_lt=1654691820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677420.000000000, search_lt=1654691820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=25991476, total_slices=1543438, decompressed_slices=390623, duration.command.search.index=9018, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60292, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11308736, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:35:21.522, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691640_91200', total_run_time=17.46, event_count=0, result_count=0, available_count=0, scan_count=25868682, drop_count=0, exec_time=1654691689, api_et=1654677240.000000000, api_lt=1654691640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677240.000000000, search_lt=1654691640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=25868682, total_slices=1537126, decompressed_slices=389870, duration.command.search.index=9347, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62674, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11312417, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:34:21.745, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691580_91164', total_run_time=20.84, event_count=0, result_count=0, available_count=0, scan_count=25827094, drop_count=0, exec_time=1654691629, api_et=1654677180.000000000, api_lt=1654691580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677180.000000000, search_lt=1654691580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=1, considered_events=25827094, total_slices=1534262, decompressed_slices=389496, duration.command.search.index=10230, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71264, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:34:21.592, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654691580_91150', total_run_time=35.75, event_count=0, result_count=0, available_count=0, scan_count=42211412, drop_count=0, exec_time=1654691605, api_et=1654687980.000000000, api_lt=1654691580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654687980.000000000, search_lt=1654691607.327410000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_258a239da457f1c4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1932, eliminated_buckets=137, considered_events=42211412, total_slices=14047296, decompressed_slices=4087833, duration.command.search.index=14521, invocations.command.search.index.bucketcache.hit=1931, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223540, invocations.command.search.rawdata.bucketcache.hit=312, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:33:20.983, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691520_91128', total_run_time=20.37, event_count=0, result_count=0, available_count=0, scan_count=25788625, drop_count=0, exec_time=1654691570, api_et=1654677120.000000000, api_lt=1654691520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677120.000000000, search_lt=1654691520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2931", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=1, considered_events=25788625, total_slices=1532934, decompressed_slices=389233, duration.command.search.index=10809, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80157, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11317514, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:33:20.112, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691460_91098', total_run_time=18.97, event_count=0, result_count=0, available_count=0, scan_count=25748811, drop_count=0, exec_time=1654691510, api_et=1654677060.000000000, api_lt=1654691460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677060.000000000, search_lt=1654691460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=1, considered_events=25748811, total_slices=1530996, decompressed_slices=388958, duration.command.search.index=10350, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72206, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11319209, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:33:18.118, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691400_91069', total_run_time=41.81, event_count=0, result_count=0, available_count=0, scan_count=25707120, drop_count=0, exec_time=1654691449, api_et=1654677000.000000000, api_lt=1654691400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677000.000000000, search_lt=1654691400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3353", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=1, considered_events=25707120, total_slices=1528917, decompressed_slices=388852, duration.command.search.index=13072, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92962, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11320168, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:30:15.522, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691340_91028', total_run_time=17.07, event_count=0, result_count=0, available_count=0, scan_count=25668253, drop_count=0, exec_time=1654691389, api_et=1654676940.000000000, api_lt=1654691340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676940.000000000, search_lt=1654691340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25668253, total_slices=1526769, decompressed_slices=388540, duration.command.search.index=8875, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66312, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11322148, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:29:15.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691280_91015', total_run_time=13.84, event_count=0, result_count=0, available_count=0, scan_count=25625561, drop_count=0, exec_time=1654691329, api_et=1654676880.000000000, api_lt=1654691280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676880.000000000, search_lt=1654691280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25625561, total_slices=1524701, decompressed_slices=388278, duration.command.search.index=8820, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61253, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11321941, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:28:15.535, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691220_91001', total_run_time=13.74, event_count=0, result_count=0, available_count=0, scan_count=25583784, drop_count=0, exec_time=1654691269, api_et=1654676820.000000000, api_lt=1654691220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676820.000000000, search_lt=1654691220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2660", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25583784, total_slices=1548805, decompressed_slices=387980, duration.command.search.index=8829, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62119, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11321755, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:27:15.635, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691160_90982', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=25539531, drop_count=0, exec_time=1654691210, api_et=1654676760.000000000, api_lt=1654691160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676760.000000000, search_lt=1654691160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25539531, total_slices=1546808, decompressed_slices=387855, duration.command.search.index=8794, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60405, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11320912, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:26:15.536, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691100_90965', total_run_time=14.07, event_count=0, result_count=0, available_count=0, scan_count=25493051, drop_count=0, exec_time=1654691149, api_et=1654676700.000000000, api_lt=1654691100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676700.000000000, search_lt=1654691100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3020", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25493051, total_slices=1544620, decompressed_slices=387606, duration.command.search.index=9004, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60569, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11319374, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:25:15.532, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654691040_90952', total_run_time=14.80, event_count=0, result_count=0, available_count=0, scan_count=25452001, drop_count=0, exec_time=1654691089, api_et=1654676640.000000000, api_lt=1654691040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676640.000000000, search_lt=1654691040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25452001, total_slices=1542598, decompressed_slices=387314, duration.command.search.index=8943, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59134, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11320102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:24:15.465, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690980_90933', total_run_time=13.76, event_count=0, result_count=0, available_count=0, scan_count=25408202, drop_count=0, exec_time=1654691029, api_et=1654676580.000000000, api_lt=1654690980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676580.000000000, search_lt=1654690980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25408202, total_slices=1539855, decompressed_slices=386969, duration.command.search.index=8670, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59380, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11319079, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:23:15.546, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690920_90901', total_run_time=15.96, event_count=0, result_count=0, available_count=0, scan_count=25366689, drop_count=0, exec_time=1654690969, api_et=1654676520.000000000, api_lt=1654690920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676520.000000000, search_lt=1654690920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3217", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25366689, total_slices=1538378, decompressed_slices=386587, duration.command.search.index=8743, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63605, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11318203, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:22:19.297, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690860_90885', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=25320384, drop_count=0, exec_time=1654690909, api_et=1654676460.000000000, api_lt=1654690860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676460.000000000, search_lt=1654690860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25320384, total_slices=1536237, decompressed_slices=386310, duration.command.search.index=9300, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61684, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11315546, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:22:02.500, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690800_90857', total_run_time=16.53, event_count=0, result_count=0, available_count=0, scan_count=25273193, drop_count=0, exec_time=1654690850, api_et=1654676400.000000000, api_lt=1654690800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676400.000000000, search_lt=1654690800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3086", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25273193, total_slices=1533974, decompressed_slices=386052, duration.command.search.index=9739, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65213, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313787, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:20:15.870, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690740_90820', total_run_time=17.92, event_count=0, result_count=0, available_count=0, scan_count=25230324, drop_count=0, exec_time=1654690790, api_et=1654676340.000000000, api_lt=1654690740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676340.000000000, search_lt=1654690740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3066", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25230324, total_slices=1532193, decompressed_slices=385926, duration.command.search.index=8749, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62373, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313630, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:19:15.711, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690680_90795', total_run_time=22.06, event_count=0, result_count=0, available_count=0, scan_count=25187945, drop_count=0, exec_time=1654690730, api_et=1654676280.000000000, api_lt=1654690680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676280.000000000, search_lt=1654690680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=25187945, total_slices=1530135, decompressed_slices=385706, duration.command.search.index=9747, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68569, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313957, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:18:45.404, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690620_90774', total_run_time=29.43, event_count=0, result_count=0, available_count=0, scan_count=25144225, drop_count=0, exec_time=1654690670, api_et=1654676220.000000000, api_lt=1654690620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676220.000000000, search_lt=1654690620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3481", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=25144225, total_slices=1553903, decompressed_slices=385443, duration.command.search.index=9238, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72119, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11313541, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:17:44.293, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690560_90751', total_run_time=22.69, event_count=0, result_count=0, available_count=0, scan_count=25094768, drop_count=0, exec_time=1654690610, api_et=1654676160.000000000, api_lt=1654690560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676160.000000000, search_lt=1654690560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3103", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=25094768, total_slices=1577492, decompressed_slices=385144, duration.command.search.index=9044, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67309, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11311309, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:17:42.414, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654690560_90745', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654690570, api_et=1654686360.000000000, api_lt=1654689960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654686960.000000000, search_lt=1654690572.799999000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3603", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_36e99744d97d891e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1096, eliminated_buckets=388, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=963, invocations.command.search.index.bucketcache.hit=1096, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:17:41.634, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690500_90734', total_run_time=22.18, event_count=0, result_count=0, available_count=0, scan_count=25055003, drop_count=0, exec_time=1654690550, api_et=1654676100.000000000, api_lt=1654690500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676100.000000000, search_lt=1654690500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3095", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=25055003, total_slices=1576039, decompressed_slices=384927, duration.command.search.index=9403, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71154, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11310588, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:15:18.572, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690440_90715', total_run_time=26.64, event_count=0, result_count=0, available_count=0, scan_count=25013857, drop_count=0, exec_time=1654690490, api_et=1654676040.000000000, api_lt=1654690440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676040.000000000, search_lt=1654690440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2840", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=25013857, total_slices=1573858, decompressed_slices=384688, duration.command.search.index=9013, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71811, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11312097, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:14:48.310, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654690440_90702', total_run_time=7.03, event_count=0, result_count=0, available_count=0, scan_count=15389, drop_count=0, exec_time=1654690463, api_et=1654686840.000000000, api_lt=1654690440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654686840.000000000, search_lt=1654690465.416164000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2951", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=284, considered_events=15398, total_slices=629910, decompressed_slices=3108, duration.command.search.index=1064, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6291, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=130, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=341, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=247, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 12:14:18.364, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690380_90692', total_run_time=16.11, event_count=0, result_count=0, available_count=0, scan_count=24971435, drop_count=0, exec_time=1654690429, api_et=1654675980.000000000, api_lt=1654690380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675980.000000000, search_lt=1654690380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=24971435, total_slices=1571677, decompressed_slices=384463, duration.command.search.index=8934, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63976, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11312788, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:13:18.378, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690320_90665', total_run_time=16.49, event_count=0, result_count=0, available_count=0, scan_count=24923298, drop_count=0, exec_time=1654690369, api_et=1654675920.000000000, api_lt=1654690320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675920.000000000, search_lt=1654690320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=24923298, total_slices=1569635, decompressed_slices=384122, duration.command.search.index=8797, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61983, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11309834, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:12:18.495, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690260_90647', total_run_time=15.93, event_count=0, result_count=0, available_count=0, scan_count=24876811, drop_count=0, exec_time=1654690309, api_et=1654675860.000000000, api_lt=1654690260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675860.000000000, search_lt=1654690260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3209", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=24876811, total_slices=1567653, decompressed_slices=383845, duration.command.search.index=9319, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62351, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11307521, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:11:18.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690200_90622', total_run_time=15.30, event_count=0, result_count=0, available_count=0, scan_count=24830675, drop_count=0, exec_time=1654690250, api_et=1654675800.000000000, api_lt=1654690200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675800.000000000, search_lt=1654690200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24830675, total_slices=1565606, decompressed_slices=383583, duration.command.search.index=8951, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62712, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11307106, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:11:18.360, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654690260_90629', total_run_time=4.80, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654690264, api_et=1654686660.000000000, api_lt=1654690260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654686660.000000000, search_lt=1654690266.229863000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_db5bb77ce41b01af", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=57, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=63, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:10:18.316, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690140_90588', total_run_time=13.92, event_count=0, result_count=0, available_count=0, scan_count=24788640, drop_count=0, exec_time=1654690190, api_et=1654675740.000000000, api_lt=1654690140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675740.000000000, search_lt=1654690140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2724", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24788640, total_slices=1563462, decompressed_slices=383463, duration.command.search.index=8520, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58982, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11305493, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:09:48.431, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654690140_90580', total_run_time=18.77, event_count=0, result_count=0, available_count=0, scan_count=5190962, drop_count=0, exec_time=1654690145, api_et=1654685940.000000000, api_lt=1654689540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654685940.000000000, search_lt=1654689540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_69200e89ff2af08b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=801, eliminated_buckets=389, considered_events=5190962, total_slices=1160676, decompressed_slices=235376, duration.command.search.index=2091, invocations.command.search.index.bucketcache.hit=799, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36685, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=113, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:09:19.036, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690080_90572', total_run_time=14.30, event_count=0, result_count=0, available_count=0, scan_count=24747340, drop_count=0, exec_time=1654690129, api_et=1654675680.000000000, api_lt=1654690080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675680.000000000, search_lt=1654690080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24747340, total_slices=1561313, decompressed_slices=383327, duration.command.search.index=9007, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59472, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11306476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:08:48.253, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654690020_90563', total_run_time=18.10, event_count=1136, result_count=53, available_count=0, scan_count=366469, drop_count=0, exec_time=1654690084, api_et=1654686420.000000000, api_lt=1654690020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654686420.000000000, search_lt=1654690086.217474000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2837", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=373282, total_slices=509887, decompressed_slices=105375, duration.command.search.index=3211, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28765, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=289454, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34972, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 12:08:18.408, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654690020_90555', total_run_time=14.54, event_count=0, result_count=0, available_count=0, scan_count=24710076, drop_count=0, exec_time=1654690069, api_et=1654675620.000000000, api_lt=1654690020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675620.000000000, search_lt=1654690020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2739", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24710076, total_slices=1559315, decompressed_slices=383101, duration.command.search.index=8985, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61496, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11305730, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:07:48.515, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654690020_90550', total_run_time=5.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654690046, api_et=1654686420.000000000, api_lt=1654690020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654686420.000000000, search_lt=1654690048.094078000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_71d2fc4600fadd39", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=817, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 12:07:18.598, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689960_90535', total_run_time=17.57, event_count=0, result_count=0, available_count=0, scan_count=24683499, drop_count=0, exec_time=1654690010, api_et=1654675560.000000000, api_lt=1654689960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675560.000000000, search_lt=1654689960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24683499, total_slices=1557379, decompressed_slices=382982, duration.command.search.index=9218, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63864, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11304190, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:07:18.504, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654689600_90504', total_run_time=131.43, event_count=2696, result_count=2695, available_count=0, scan_count=1756868, drop_count=0, exec_time=1654689890, api_et=1654603200.000000000, api_lt=1654689600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654689600.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64513", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_1a627ec62c540014", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4774, considered_events=1756868, total_slices=14093842, decompressed_slices=1089747, duration.command.search.index=893853, invocations.command.search.index.bucketcache.hit=27399, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3043, duration.command.search.index.bucketcache.miss=352645, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227392, invocations.command.search.rawdata.bucketcache.hit=20029, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=1115, duration.command.search.rawdata.bucketcache.miss=195604, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-08-2022 12:06:18.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689900_90521', total_run_time=16.30, event_count=0, result_count=0, available_count=0, scan_count=24666142, drop_count=0, exec_time=1654689950, api_et=1654675500.000000000, api_lt=1654689900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675500.000000000, search_lt=1654689900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3195", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=24666142, total_slices=1555454, decompressed_slices=382880, duration.command.search.index=9377, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64193, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11304270, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:05:18.412, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689840_90503', total_run_time=15.85, event_count=0, result_count=0, available_count=0, scan_count=24649719, drop_count=0, exec_time=1654689889, api_et=1654675440.000000000, api_lt=1654689840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675440.000000000, search_lt=1654689840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=24649719, total_slices=1553700, decompressed_slices=382788, duration.command.search.index=9165, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66670, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11304667, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:04:20.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689780_90460', total_run_time=18.10, event_count=0, result_count=0, available_count=0, scan_count=24632790, drop_count=0, exec_time=1654689829, api_et=1654675380.000000000, api_lt=1654689780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675380.000000000, search_lt=1654689780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=0, considered_events=24632790, total_slices=1551886, decompressed_slices=382777, duration.command.search.index=10779, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77878, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11304052, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:03:18.388, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689720_90415', total_run_time=20.65, event_count=0, result_count=0, available_count=0, scan_count=24612581, drop_count=0, exec_time=1654689769, api_et=1654675320.000000000, api_lt=1654689720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675320.000000000, search_lt=1654689720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2662", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24612581, total_slices=1550105, decompressed_slices=382660, duration.command.search.index=10660, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81606, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11302620, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:02:18.362, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689660_90383', total_run_time=20.28, event_count=0, result_count=0, available_count=0, scan_count=24596264, drop_count=0, exec_time=1654689709, api_et=1654675260.000000000, api_lt=1654689660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675260.000000000, search_lt=1654689660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24596264, total_slices=1548146, decompressed_slices=382500, duration.command.search.index=11172, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95585, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11303335, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:01:46.186, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654689600_90352', total_run_time=32.38, event_count=0, result_count=0, available_count=0, scan_count=24579033, drop_count=0, exec_time=1654689650, api_et=1654675200.000000000, api_lt=1654689600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675200.000000000, search_lt=1654689600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=24579033, total_slices=1572768, decompressed_slices=382523, duration.command.search.index=15030, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=146123, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11302690, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 12:01:46.030, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654689600_90348', total_run_time=62.93, event_count=0, result_count=101, available_count=0, scan_count=0, drop_count=0, exec_time=1654689632, api_et=1654687800.000000000, api_lt=1654689600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654687800.000000000, search_lt=1654689600.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63693", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-08-2022 11:44:18.576, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654688580_90038', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=4449, drop_count=0, exec_time=1654688618, api_et=1654684980.000000000, api_lt=1654688580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654684980.000000000, search_lt=1654688620.182669000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2881", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5bedd89a30dd2fd4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=2, considered_events=4449, total_slices=883808, decompressed_slices=1197, duration.command.search.index=1068, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4850, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 11:34:18.621, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654687980_89820', total_run_time=40.60, event_count=0, result_count=0, available_count=0, scan_count=42243685, drop_count=0, exec_time=1654688005, api_et=1654684380.000000000, api_lt=1654687980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654684380.000000000, search_lt=1654688007.560953000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3902", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b2d398058329cbb4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1928, eliminated_buckets=137, considered_events=42243685, total_slices=14001224, decompressed_slices=4095265, duration.command.search.index=14783, invocations.command.search.index.bucketcache.hit=1927, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=230036, invocations.command.search.rawdata.bucketcache.hit=293, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 11:17:02.300, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654686960_89456', total_run_time=8.44, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654686970, api_et=1654682760.000000000, api_lt=1654686360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654683360.000000000, search_lt=1654686972.654085000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c0cd1714369a6cd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1102, eliminated_buckets=387, considered_events=1, total_slices=14166, decompressed_slices=1, duration.command.search.index=753, invocations.command.search.index.bucketcache.hit=1102, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=123, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 11:14:48.867, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654686840_89415', total_run_time=4.73, event_count=0, result_count=0, available_count=0, scan_count=16278, drop_count=0, exec_time=1654686863, api_et=1654683240.000000000, api_lt=1654686840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654683240.000000000, search_lt=1654686865.227928000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2750", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=287, considered_events=16442, total_slices=554001, decompressed_slices=3065, duration.command.search.index=954, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5544, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=110, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=301, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=67, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=134, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 11:11:18.646, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654686660_89350', total_run_time=4.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654686665, api_et=1654683060.000000000, api_lt=1654686660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654683060.000000000, search_lt=1654686667.024839000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_62f32bf13a52c652", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=62, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=65, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 11:09:48.675, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654686540_89303', total_run_time=19.00, event_count=0, result_count=0, available_count=0, scan_count=5002179, drop_count=0, exec_time=1654686546, api_et=1654682340.000000000, api_lt=1654685940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654682340.000000000, search_lt=1654685940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3148", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_820b6d27e3d450e2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=801, eliminated_buckets=384, considered_events=5002179, total_slices=1222607, decompressed_slices=236525, duration.command.search.index=2005, invocations.command.search.index.bucketcache.hit=797, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37885, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 11:08:38.484, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654686420_89284', total_run_time=21.61, event_count=1187, result_count=56, available_count=0, scan_count=366657, drop_count=0, exec_time=1654686480, api_et=1654682820.000000000, api_lt=1654686420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654682820.000000000, search_lt=1654686482.229572000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=374726, total_slices=552237, decompressed_slices=106746, duration.command.search.index=3551, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28971, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=290011, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 11:08:16.619, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654686420_89279', total_run_time=5.73, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654686446, api_et=1654682820.000000000, api_lt=1654686420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654682820.000000000, search_lt=1654686448.466153000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3000", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9ad8807177579c23", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=1, total_slices=13704, decompressed_slices=1, duration.command.search.index=793, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=131, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:44:24.632, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654684980_88789', total_run_time=21.15, event_count=0, result_count=0, available_count=0, scan_count=3319, drop_count=0, exec_time=1654685018, api_et=1654681380.000000000, api_lt=1654684980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654681380.000000000, search_lt=1654685019.859249000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2410", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9c356349bc9f785e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3319, total_slices=1003122, decompressed_slices=918, duration.command.search.index=1114, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5007, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:35:23.780, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654684380_88566', total_run_time=35.33, event_count=0, result_count=0, available_count=0, scan_count=42175337, drop_count=0, exec_time=1654684405, api_et=1654680780.000000000, api_lt=1654684380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654680780.000000000, search_lt=1654684407.577227000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3791", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e5aed461a77de6ef", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1922, eliminated_buckets=137, considered_events=42175337, total_slices=13752500, decompressed_slices=4123642, duration.command.search.index=14944, invocations.command.search.index.bucketcache.hit=1922, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226333, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:16:38.568, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654683360_88193', total_run_time=9.31, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654683371, api_et=1654679160.000000000, api_lt=1654682760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654679760.000000000, search_lt=1654683373.593606000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6fff204267342af0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1099, eliminated_buckets=387, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=849, invocations.command.search.index.bucketcache.hit=1099, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:15:18.570, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654683240_88153', total_run_time=5.93, event_count=0, result_count=0, available_count=0, scan_count=18273, drop_count=0, exec_time=1654683263, api_et=1654679640.000000000, api_lt=1654683240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654679640.000000000, search_lt=1654683265.022983000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=286, considered_events=18826, total_slices=478909, decompressed_slices=3598, duration.command.search.index=1081, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6254, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=32, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=133, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=260, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=62, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=108, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 10:12:20.464, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654683060_88086', total_run_time=4.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654683064, api_et=1654679460.000000000, api_lt=1654683060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654679460.000000000, search_lt=1654683066.848403000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2905", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e9aba1afc9878491", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=59, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:09:38.768, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654682820_88027', total_run_time=19.17, event_count=1145, result_count=57, available_count=0, scan_count=354189, drop_count=0, exec_time=1654682885, api_et=1654679220.000000000, api_lt=1654682820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654679220.000000000, search_lt=1654682886.992650000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2939", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=358549, total_slices=579004, decompressed_slices=108270, duration.command.search.index=4117, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34133, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=284362, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33870, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 10:09:38.291, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654682940_88041', total_run_time=19.03, event_count=0, result_count=0, available_count=0, scan_count=5367258, drop_count=0, exec_time=1654682946, api_et=1654678740.000000000, api_lt=1654682340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654678740.000000000, search_lt=1654682340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3081", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_27d49f9a223cef62", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=795, eliminated_buckets=387, considered_events=5367258, total_slices=1139219, decompressed_slices=243955, duration.command.search.index=2160, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38063, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 10:09:36.990, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654682820_88017', total_run_time=7.74, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654682847, api_et=1654679220.000000000, api_lt=1654682820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654679220.000000000, search_lt=1654682848.844060000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c7662d6b9ee1f3f4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=849, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:46:15.861, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654681380_87522', total_run_time=25.50, event_count=0, result_count=0, available_count=0, scan_count=3805, drop_count=0, exec_time=1654681418, api_et=1654677780.000000000, api_lt=1654681380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677780.000000000, search_lt=1654681420.633065000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2981", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_48794d2b6ae1e09e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3805, total_slices=1024861, decompressed_slices=858, duration.command.search.index=1166, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4986, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:46:13.638, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654680780_87304', total_run_time=43.09, event_count=0, result_count=0, available_count=0, scan_count=41815320, drop_count=0, exec_time=1654680805, api_et=1654677180.000000000, api_lt=1654680780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654677180.000000000, search_lt=1654680807.414562000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_edb0450607c83010", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1921, eliminated_buckets=137, considered_events=41815320, total_slices=13737350, decompressed_slices=4071221, duration.command.search.index=17922, invocations.command.search.index.bucketcache.hit=1921, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=234090, invocations.command.search.rawdata.bucketcache.hit=291, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:16:44.639, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654679760_86937', total_run_time=24.35, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654679771, api_et=1654675560.000000000, api_lt=1654679160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676160.000000000, search_lt=1654679773.321984000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9806e38abf9a03f8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1100, eliminated_buckets=386, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1015, invocations.command.search.index.bucketcache.hit=1100, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:14:47.463, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654679640_86897', total_run_time=4.65, event_count=0, result_count=0, available_count=0, scan_count=14139, drop_count=0, exec_time=1654679663, api_et=1654676040.000000000, api_lt=1654679640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654676040.000000000, search_lt=1654679665.468265000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2993", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=287, considered_events=14139, total_slices=415285, decompressed_slices=3268, duration.command.search.index=1037, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5690, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=32, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=168, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=337, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=80, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=145, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 09:11:41.290, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654679340_86782', total_run_time=20.00, event_count=0, result_count=0, available_count=0, scan_count=5043462, drop_count=0, exec_time=1654679346, api_et=1654675140.000000000, api_lt=1654678740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675140.000000000, search_lt=1654678740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3183", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7d5c7002354fba27", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=379, considered_events=5043462, total_slices=1151832, decompressed_slices=229592, duration.command.search.index=2073, invocations.command.search.index.bucketcache.hit=788, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37581, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=123, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:11:41.240, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654679220_86764', total_run_time=14.80, event_count=1124, result_count=53, available_count=0, scan_count=358814, drop_count=0, exec_time=1654679280, api_et=1654675620.000000000, api_lt=1654679220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675620.000000000, search_lt=1654679281.938774000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=367658, total_slices=655588, decompressed_slices=107712, duration.command.search.index=3598, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=29063, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=287652, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33311, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 09:11:39.892, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654679460_86829', total_run_time=4.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654679464, api_et=1654675860.000000000, api_lt=1654679460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675860.000000000, search_lt=1654679466.705607000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8e472e92ad883a04", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:07:47.896, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654679220_86759', total_run_time=6.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654679246, api_et=1654675620.000000000, api_lt=1654679220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654675620.000000000, search_lt=1654679248.089407000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2784", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_238ef3f58654e53e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=415, eliminated_buckets=201, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=904, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 09:00:05.466, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678740_86554', total_run_time=14.57, event_count=0, result_count=0, available_count=0, scan_count=22432150, drop_count=0, exec_time=1654678790, api_et=1654664340.000000000, api_lt=1654678740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664340.000000000, search_lt=1654678740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3335", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22432150, total_slices=1592936, decompressed_slices=370727, duration.command.search.index=7708, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57445, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534724, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:59:05.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678680_86541', total_run_time=13.10, event_count=0, result_count=0, available_count=0, scan_count=22433114, drop_count=0, exec_time=1654678729, api_et=1654664280.000000000, api_lt=1654678680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664280.000000000, search_lt=1654678680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3107", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22433114, total_slices=1591314, decompressed_slices=370757, duration.command.search.index=7679, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56159, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:58:38.483, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678620_86525', total_run_time=13.60, event_count=0, result_count=0, available_count=0, scan_count=22432707, drop_count=0, exec_time=1654678670, api_et=1654664220.000000000, api_lt=1654678620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664220.000000000, search_lt=1654678620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22432707, total_slices=1589613, decompressed_slices=370755, duration.command.search.index=8257, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57393, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534406, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:58:34.133, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678560_86507', total_run_time=12.84, event_count=0, result_count=0, available_count=0, scan_count=22433932, drop_count=0, exec_time=1654678609, api_et=1654664160.000000000, api_lt=1654678560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664160.000000000, search_lt=1654678560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2661", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22433932, total_slices=1587978, decompressed_slices=370732, duration.command.search.index=7808, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55759, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11537243, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:56:08.198, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678500_86496', total_run_time=13.58, event_count=0, result_count=0, available_count=0, scan_count=22430791, drop_count=0, exec_time=1654678549, api_et=1654664100.000000000, api_lt=1654678500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664100.000000000, search_lt=1654678500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22430791, total_slices=1586400, decompressed_slices=370657, duration.command.search.index=7919, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57816, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11535922, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:55:08.033, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678440_86479', total_run_time=12.43, event_count=0, result_count=0, available_count=0, scan_count=22427103, drop_count=0, exec_time=1654678489, api_et=1654664040.000000000, api_lt=1654678440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664040.000000000, search_lt=1654678440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2671", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22427103, total_slices=1584732, decompressed_slices=370660, duration.command.search.index=8079, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54989, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:07.586, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678080_86339', total_run_time=13.18, event_count=0, result_count=0, available_count=0, scan_count=22416124, drop_count=0, exec_time=1654678130, api_et=1654663680.000000000, api_lt=1654678080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663680.000000000, search_lt=1654678080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3214", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22416124, total_slices=1574974, decompressed_slices=370772, duration.command.search.index=7817, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54738, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11535185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:07.114, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678200_86397', total_run_time=15.80, event_count=0, result_count=0, available_count=0, scan_count=22419031, drop_count=0, exec_time=1654678249, api_et=1654663800.000000000, api_lt=1654678200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663800.000000000, search_lt=1654678200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3028", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22419031, total_slices=1578299, decompressed_slices=370642, duration.command.search.index=8522, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63105, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534082, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:05.481, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678380_86463', total_run_time=14.00, event_count=0, result_count=0, available_count=0, scan_count=22425931, drop_count=0, exec_time=1654678429, api_et=1654663980.000000000, api_lt=1654678380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663980.000000000, search_lt=1654678380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3299", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22425931, total_slices=1583096, decompressed_slices=370667, duration.command.search.index=8165, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54882, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11533093, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:05.185, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678140_86362', total_run_time=14.01, event_count=0, result_count=0, available_count=0, scan_count=22415361, drop_count=0, exec_time=1654678190, api_et=1654663740.000000000, api_lt=1654678140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663740.000000000, search_lt=1654678140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3300", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22415361, total_slices=1576673, decompressed_slices=370630, duration.command.search.index=7791, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58212, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534099, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:04.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678260_86421', total_run_time=16.28, event_count=0, result_count=0, available_count=0, scan_count=22422000, drop_count=0, exec_time=1654678309, api_et=1654663860.000000000, api_lt=1654678260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663860.000000000, search_lt=1654678260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22422000, total_slices=1579907, decompressed_slices=370698, duration.command.search.index=9054, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61935, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534080, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:54:04.721, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678320_86439', total_run_time=16.02, event_count=0, result_count=0, available_count=0, scan_count=22424395, drop_count=0, exec_time=1654678369, api_et=1654663920.000000000, api_lt=1654678320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663920.000000000, search_lt=1654678320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2810", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22424395, total_slices=1581539, decompressed_slices=370672, duration.command.search.index=8622, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61893, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11533315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:48:26.237, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654678020_86323', total_run_time=14.05, event_count=0, result_count=0, available_count=0, scan_count=22411129, drop_count=0, exec_time=1654678070, api_et=1654663620.000000000, api_lt=1654678020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663620.000000000, search_lt=1654678020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3045", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22411129, total_slices=1573431, decompressed_slices=370815, duration.command.search.index=7668, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58197, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534339, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:47:15.030, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677960_86301', total_run_time=13.17, event_count=0, result_count=0, available_count=0, scan_count=22406987, drop_count=0, exec_time=1654678010, api_et=1654663560.000000000, api_lt=1654677960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663560.000000000, search_lt=1654677960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2983", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22406987, total_slices=1571867, decompressed_slices=370772, duration.command.search.index=7732, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55651, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532179, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:46:53.914, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654677780_86237', total_run_time=22.67, event_count=0, result_count=0, available_count=0, scan_count=3320, drop_count=0, exec_time=1654677818, api_et=1654674180.000000000, api_lt=1654677780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654674180.000000000, search_lt=1654677820.020867000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d0d140ecdde66222", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=3320, total_slices=1067337, decompressed_slices=858, duration.command.search.index=1097, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5046, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:46:51.661, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677660_86187', total_run_time=19.47, event_count=0, result_count=0, available_count=0, scan_count=22395689, drop_count=0, exec_time=1654677709, api_et=1654663260.000000000, api_lt=1654677660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663260.000000000, search_lt=1654677660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22395689, total_slices=1563743, decompressed_slices=370783, duration.command.search.index=8402, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59035, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532316, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:46:50.889, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677840_86261', total_run_time=13.65, event_count=0, result_count=0, available_count=0, scan_count=22402532, drop_count=0, exec_time=1654677889, api_et=1654663440.000000000, api_lt=1654677840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663440.000000000, search_lt=1654677840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22402532, total_slices=1568452, decompressed_slices=370743, duration.command.search.index=8073, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55535, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11530634, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:46:50.804, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677900_86283', total_run_time=13.49, event_count=0, result_count=0, available_count=0, scan_count=22406968, drop_count=0, exec_time=1654677951, api_et=1654663500.000000000, api_lt=1654677900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663500.000000000, search_lt=1654677900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3156", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22406968, total_slices=1570246, decompressed_slices=370735, duration.command.search.index=7624, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58754, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11533034, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:46:50.332, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677720_86210', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=22396735, drop_count=0, exec_time=1654677769, api_et=1654663320.000000000, api_lt=1654677720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663320.000000000, search_lt=1654677720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22396735, total_slices=1565369, decompressed_slices=370774, duration.command.search.index=7840, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58729, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11530952, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:46:49.685, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677780_86240', total_run_time=13.76, event_count=0, result_count=0, available_count=0, scan_count=22400802, drop_count=0, exec_time=1654677829, api_et=1654663380.000000000, api_lt=1654677780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663380.000000000, search_lt=1654677780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3220", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22400802, total_slices=1566951, decompressed_slices=370710, duration.command.search.index=7961, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56667, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11529536, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:41:32.674, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677600_86162', total_run_time=15.70, event_count=0, result_count=0, available_count=0, scan_count=22397342, drop_count=0, exec_time=1654677650, api_et=1654663200.000000000, api_lt=1654677600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663200.000000000, search_lt=1654677600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22397342, total_slices=1562139, decompressed_slices=370751, duration.command.search.index=8368, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58582, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532803, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:40:17.003, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677540_86126', total_run_time=14.81, event_count=0, result_count=0, available_count=0, scan_count=22393727, drop_count=0, exec_time=1654677590, api_et=1654663140.000000000, api_lt=1654677540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663140.000000000, search_lt=1654677540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22393727, total_slices=1560418, decompressed_slices=370706, duration.command.search.index=7778, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59913, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:46.589, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677360_86081', total_run_time=13.72, event_count=0, result_count=0, available_count=0, scan_count=22384369, drop_count=0, exec_time=1654677410, api_et=1654662960.000000000, api_lt=1654677360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662960.000000000, search_lt=1654677360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22384369, total_slices=1555655, decompressed_slices=370871, duration.command.search.index=7985, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55241, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531470, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:45.837, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677240_86050', total_run_time=13.84, event_count=0, result_count=0, available_count=0, scan_count=22380739, drop_count=0, exec_time=1654677290, api_et=1654662840.000000000, api_lt=1654677240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662840.000000000, search_lt=1654677240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22380739, total_slices=1552479, decompressed_slices=370718, duration.command.search.index=8306, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57759, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532100, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:45.744, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654677180_86002', total_run_time=48.94, event_count=0, result_count=0, available_count=0, scan_count=41773979, drop_count=0, exec_time=1654677206, api_et=1654673580.000000000, api_lt=1654677180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654673580.000000000, search_lt=1654677208.190005000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_52b61a5ed0ad248a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1922, eliminated_buckets=137, considered_events=41773979, total_slices=13746288, decompressed_slices=4064910, duration.command.search.index=14729, invocations.command.search.index.bucketcache.hit=1922, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=235894, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:39:45.533, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677180_86014', total_run_time=19.18, event_count=0, result_count=0, available_count=0, scan_count=22377810, drop_count=0, exec_time=1654677229, api_et=1654662780.000000000, api_lt=1654677180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662780.000000000, search_lt=1654677180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3018", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22377810, total_slices=1550820, decompressed_slices=370684, duration.command.search.index=9784, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70894, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531620, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:44.630, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677420_86096', total_run_time=13.37, event_count=0, result_count=0, available_count=0, scan_count=22388502, drop_count=0, exec_time=1654677470, api_et=1654663020.000000000, api_lt=1654677420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663020.000000000, search_lt=1654677420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22388502, total_slices=1557131, decompressed_slices=370835, duration.command.search.index=7900, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55549, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531306, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:44.058, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677300_86071', total_run_time=13.63, event_count=0, result_count=0, available_count=0, scan_count=22382823, drop_count=0, exec_time=1654677350, api_et=1654662900.000000000, api_lt=1654677300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662900.000000000, search_lt=1654677300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2616", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22382823, total_slices=1554025, decompressed_slices=370775, duration.command.search.index=8105, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54978, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531748, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:39:43.166, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677480_86109', total_run_time=13.40, event_count=0, result_count=0, available_count=0, scan_count=22391502, drop_count=0, exec_time=1654677528, api_et=1654663080.000000000, api_lt=1654677480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663080.000000000, search_lt=1654677480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2669", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22391502, total_slices=1558800, decompressed_slices=370727, duration.command.search.index=7944, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55057, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11530643, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:33:28.326, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677120_85977', total_run_time=19.05, event_count=0, result_count=0, available_count=0, scan_count=22372592, drop_count=0, exec_time=1654677169, api_et=1654662720.000000000, api_lt=1654677120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662720.000000000, search_lt=1654677120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22372592, total_slices=1549026, decompressed_slices=370667, duration.command.search.index=9357, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73413, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531525, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:32:26.820, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677060_85947', total_run_time=17.91, event_count=0, result_count=0, available_count=0, scan_count=22370486, drop_count=0, exec_time=1654677109, api_et=1654662660.000000000, api_lt=1654677060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662660.000000000, search_lt=1654677060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22370486, total_slices=1547438, decompressed_slices=370677, duration.command.search.index=9314, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70474, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532634, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:31:27.036, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654677000_85919', total_run_time=23.65, event_count=0, result_count=0, available_count=0, scan_count=22371567, drop_count=0, exec_time=1654677049, api_et=1654662600.000000000, api_lt=1654677000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662600.000000000, search_lt=1654677000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3444", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22371567, total_slices=1545799, decompressed_slices=370635, duration.command.search.index=12256, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98786, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:30:27.898, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676940_85877', total_run_time=14.21, event_count=0, result_count=0, available_count=0, scan_count=22367885, drop_count=0, exec_time=1654676990, api_et=1654662540.000000000, api_lt=1654676940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662540.000000000, search_lt=1654676940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22367885, total_slices=1543109, decompressed_slices=370632, duration.command.search.index=7465, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58808, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11531591, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:29:26.630, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676880_85863', total_run_time=12.88, event_count=0, result_count=0, available_count=0, scan_count=22371639, drop_count=0, exec_time=1654676929, api_et=1654662480.000000000, api_lt=1654676880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662480.000000000, search_lt=1654676880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22371639, total_slices=1542430, decompressed_slices=370760, duration.command.search.index=7670, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54970, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11535315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:28:26.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676820_85849', total_run_time=13.53, event_count=0, result_count=0, available_count=0, scan_count=22371189, drop_count=0, exec_time=1654676870, api_et=1654662420.000000000, api_lt=1654676820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662420.000000000, search_lt=1654676820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22371189, total_slices=1540793, decompressed_slices=370743, duration.command.search.index=7787, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56020, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11537399, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:27:26.993, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676760_85831', total_run_time=12.99, event_count=0, result_count=0, available_count=0, scan_count=22370773, drop_count=0, exec_time=1654676809, api_et=1654662360.000000000, api_lt=1654676760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662360.000000000, search_lt=1654676760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2604", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22370773, total_slices=1539239, decompressed_slices=370878, duration.command.search.index=7914, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54974, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11539442, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:26:26.735, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676700_85815', total_run_time=13.53, event_count=0, result_count=0, available_count=0, scan_count=22373288, drop_count=0, exec_time=1654676750, api_et=1654662300.000000000, api_lt=1654676700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662300.000000000, search_lt=1654676700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22373288, total_slices=1537592, decompressed_slices=370859, duration.command.search.index=7802, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55336, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11541392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:25:27.378, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676640_85802', total_run_time=13.46, event_count=0, result_count=0, available_count=0, scan_count=22369870, drop_count=0, exec_time=1654676690, api_et=1654662240.000000000, api_lt=1654676640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662240.000000000, search_lt=1654676640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22369870, total_slices=1535958, decompressed_slices=370879, duration.command.search.index=7891, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55808, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11538721, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:24:13.986, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676580_85783', total_run_time=15.48, event_count=0, result_count=0, available_count=0, scan_count=22366590, drop_count=0, exec_time=1654676629, api_et=1654662180.000000000, api_lt=1654676580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662180.000000000, search_lt=1654676580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22366590, total_slices=1560403, decompressed_slices=370929, duration.command.search.index=8079, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57350, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11538453, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:23:47.636, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676340_85666', total_run_time=14.14, event_count=0, result_count=0, available_count=0, scan_count=22368770, drop_count=0, exec_time=1654676389, api_et=1654661940.000000000, api_lt=1654676340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661940.000000000, search_lt=1654676340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2687", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22368770, total_slices=1553903, decompressed_slices=371108, duration.command.search.index=8129, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55894, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11544639, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:23:47.391, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676400_85703', total_run_time=16.57, event_count=0, result_count=0, available_count=0, scan_count=22366159, drop_count=0, exec_time=1654676450, api_et=1654662000.000000000, api_lt=1654676400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662000.000000000, search_lt=1654676400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2882", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22366159, total_slices=1555556, decompressed_slices=370997, duration.command.search.index=9079, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60994, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11544459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:23:47.140, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654676400_85708', total_run_time=17.18, event_count=11544459, result_count=15, available_count=0, scan_count=22366158, drop_count=0, exec_time=1654676459, api_et=1654662000.000000000, api_lt=1654676400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662000.000000000, search_lt=1654676400.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2961", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22366158, total_slices=1555794, decompressed_slices=370996, duration.command.search.index=9073, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59463, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11544459, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:23:44.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676460_85733', total_run_time=13.90, event_count=0, result_count=0, available_count=0, scan_count=22365541, drop_count=0, exec_time=1654676510, api_et=1654662060.000000000, api_lt=1654676460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662060.000000000, search_lt=1654676460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22365541, total_slices=1557006, decompressed_slices=371020, duration.command.search.index=8216, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56553, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11542392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:23:44.186, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676520_85749', total_run_time=13.39, event_count=0, result_count=0, available_count=0, scan_count=22366121, drop_count=0, exec_time=1654676569, api_et=1654662120.000000000, api_lt=1654676520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662120.000000000, search_lt=1654676520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3110", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22366121, total_slices=1558674, decompressed_slices=371012, duration.command.search.index=7746, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56101, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11540792, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:19:12.803, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676280_85635', total_run_time=14.28, event_count=0, result_count=0, available_count=0, scan_count=22368639, drop_count=0, exec_time=1654676337, api_et=1654661880.000000000, api_lt=1654676280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661880.000000000, search_lt=1654676280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2898", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=127, eliminated_buckets=0, considered_events=22368639, total_slices=1552545, decompressed_slices=371178, duration.command.search.index=8468, invocations.command.search.index.bucketcache.hit=127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59235, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11544187, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:18:14.899, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676220_85620', total_run_time=13.54, event_count=0, result_count=0, available_count=0, scan_count=22368794, drop_count=0, exec_time=1654676270, api_et=1654661820.000000000, api_lt=1654676220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661820.000000000, search_lt=1654676220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3202", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22368794, total_slices=1550737, decompressed_slices=371190, duration.command.search.index=8011, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57048, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11545115, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:17:13.352, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676160_85595', total_run_time=13.46, event_count=0, result_count=0, available_count=0, scan_count=22367305, drop_count=0, exec_time=1654676210, api_et=1654661760.000000000, api_lt=1654676160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661760.000000000, search_lt=1654676160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3054", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22367305, total_slices=1548933, decompressed_slices=371223, duration.command.search.index=8086, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56992, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11546394, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:16:44.424, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654676160_85589', total_run_time=17.27, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654676170, api_et=1654671960.000000000, api_lt=1654675560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654672560.000000000, search_lt=1654676173.114836000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9412c83bc533edb4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1106, eliminated_buckets=387, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1364, invocations.command.search.index.bucketcache.hit=1106, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:16:13.028, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676100_85578', total_run_time=15.04, event_count=0, result_count=0, available_count=0, scan_count=22367152, drop_count=0, exec_time=1654676151, api_et=1654661700.000000000, api_lt=1654676100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661700.000000000, search_lt=1654676100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22367152, total_slices=1547590, decompressed_slices=371190, duration.command.search.index=8244, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60621, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11546619, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:15:17.833, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654676040_85546', total_run_time=4.02, event_count=0, result_count=0, available_count=0, scan_count=10867, drop_count=0, exec_time=1654676063, api_et=1654672440.000000000, api_lt=1654676040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654672440.000000000, search_lt=1654676065.024188000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=413, eliminated_buckets=282, considered_events=10901, total_slices=373085, decompressed_slices=2792, duration.command.search.index=954, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5552, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=95, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=232, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=101, sourcetype_count__crowdstrike:falcon:fdr:SevenZipFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=15, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 08:15:17.670, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654676040_85559', total_run_time=12.90, event_count=0, result_count=0, available_count=0, scan_count=22365136, drop_count=0, exec_time=1654676089, api_et=1654661640.000000000, api_lt=1654676040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661640.000000000, search_lt=1654676040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2679", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22365136, total_slices=1545850, decompressed_slices=371222, duration.command.search.index=7767, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56499, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11545059, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:14:12.836, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675980_85536', total_run_time=13.18, event_count=0, result_count=0, available_count=0, scan_count=22361150, drop_count=0, exec_time=1654676029, api_et=1654661580.000000000, api_lt=1654675980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661580.000000000, search_lt=1654675980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22361150, total_slices=1544170, decompressed_slices=371216, duration.command.search.index=7964, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56576, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11544378, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:13:12.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675920_85508', total_run_time=13.12, event_count=0, result_count=0, available_count=0, scan_count=22364086, drop_count=0, exec_time=1654675969, api_et=1654661520.000000000, api_lt=1654675920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661520.000000000, search_lt=1654675920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=22364086, total_slices=1542443, decompressed_slices=371240, duration.command.search.index=7959, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56090, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11547254, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:12:12.402, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675860_85489', total_run_time=13.64, event_count=0, result_count=0, available_count=0, scan_count=22363671, drop_count=0, exec_time=1654675909, api_et=1654661460.000000000, api_lt=1654675860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661460.000000000, search_lt=1654675860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2637", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=22363671, total_slices=1540789, decompressed_slices=371196, duration.command.search.index=8353, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57083, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11548899, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:11:12.605, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654675860_85471', total_run_time=5.24, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654675864, api_et=1654672260.000000000, api_lt=1654675860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654672260.000000000, search_lt=1654675867.057915000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3192", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_21c817507a92d346", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:11:12.588, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675800_85462', total_run_time=14.11, event_count=0, result_count=0, available_count=0, scan_count=22367121, drop_count=0, exec_time=1654675849, api_et=1654661400.000000000, api_lt=1654675800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661400.000000000, search_lt=1654675800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3196", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=22367121, total_slices=1539289, decompressed_slices=371220, duration.command.search.index=8379, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57146, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11549686, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:10:12.565, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675740_85432', total_run_time=13.61, event_count=0, result_count=0, available_count=0, scan_count=22364504, drop_count=0, exec_time=1654675789, api_et=1654661340.000000000, api_lt=1654675740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661340.000000000, search_lt=1654675740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=22364504, total_slices=1537597, decompressed_slices=371120, duration.command.search.index=7932, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56568, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11548888, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:09:42.591, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654675740_85424', total_run_time=18.65, event_count=0, result_count=0, available_count=0, scan_count=5055787, drop_count=0, exec_time=1654675746, api_et=1654671540.000000000, api_lt=1654675140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654671540.000000000, search_lt=1654675140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3212", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d229a4026ee5eba7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=811, eliminated_buckets=391, considered_events=5055787, total_slices=1194970, decompressed_slices=227440, duration.command.search.index=2361, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37132, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:09:12.992, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675680_85416', total_run_time=13.17, event_count=0, result_count=0, available_count=0, scan_count=22362104, drop_count=0, exec_time=1654675729, api_et=1654661280.000000000, api_lt=1654675680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661280.000000000, search_lt=1654675680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2881", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=22362104, total_slices=1535952, decompressed_slices=371131, duration.command.search.index=8373, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55914, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11548950, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:08:42.563, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654675620_85402', total_run_time=18.38, event_count=1134, result_count=53, available_count=0, scan_count=366259, drop_count=0, exec_time=1654675680, api_et=1654672020.000000000, api_lt=1654675620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654672020.000000000, search_lt=1654675682.096709000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=374634, total_slices=650555, decompressed_slices=111943, duration.command.search.index=3404, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28971, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=291342, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35553, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 08:08:12.435, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675620_85399', total_run_time=13.69, event_count=0, result_count=0, available_count=0, scan_count=22361295, drop_count=0, exec_time=1654675669, api_et=1654661220.000000000, api_lt=1654675620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661220.000000000, search_lt=1654675620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=1, considered_events=22361295, total_slices=1534230, decompressed_slices=371103, duration.command.search.index=8461, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58225, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550560, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:07:42.438, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654675620_85394', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654675646, api_et=1654672020.000000000, api_lt=1654675620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654672020.000000000, search_lt=1654675648.257372000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_24990bb63ec7f875", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=414, eliminated_buckets=202, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=770, invocations.command.search.index.bucketcache.hit=413, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 08:07:12.381, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675560_85377', total_run_time=14.28, event_count=0, result_count=0, available_count=0, scan_count=22358911, drop_count=0, exec_time=1654675610, api_et=1654661160.000000000, api_lt=1654675560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661160.000000000, search_lt=1654675560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=22358911, total_slices=1532621, decompressed_slices=371060, duration.command.search.index=8469, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57781, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551539, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:06:12.415, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675500_85363', total_run_time=15.73, event_count=0, result_count=0, available_count=0, scan_count=22355575, drop_count=0, exec_time=1654675550, api_et=1654661100.000000000, api_lt=1654675500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661100.000000000, search_lt=1654675500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=22355575, total_slices=1530981, decompressed_slices=370991, duration.command.search.index=8086, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59312, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:05:12.755, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675440_85346', total_run_time=17.00, event_count=0, result_count=0, available_count=0, scan_count=22353510, drop_count=0, exec_time=1654675490, api_et=1654661040.000000000, api_lt=1654675440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661040.000000000, search_lt=1654675440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2826", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=22353510, total_slices=1529313, decompressed_slices=370967, duration.command.search.index=9537, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66666, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550784, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:04:12.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675380_85304', total_run_time=18.37, event_count=0, result_count=0, available_count=0, scan_count=22352076, drop_count=0, exec_time=1654675430, api_et=1654660980.000000000, api_lt=1654675380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654660980.000000000, search_lt=1654675380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=22352076, total_slices=1527700, decompressed_slices=370931, duration.command.search.index=10694, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77794, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550495, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:03:12.687, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675320_85256', total_run_time=18.83, event_count=0, result_count=0, available_count=0, scan_count=22353981, drop_count=0, exec_time=1654675369, api_et=1654660920.000000000, api_lt=1654675320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654660920.000000000, search_lt=1654675320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=1, considered_events=22353981, total_slices=1525886, decompressed_slices=371043, duration.command.search.index=10015, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84306, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:02:12.606, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675260_85225', total_run_time=21.05, event_count=0, result_count=0, available_count=0, scan_count=22351379, drop_count=0, exec_time=1654675309, api_et=1654660860.000000000, api_lt=1654675260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654660860.000000000, search_lt=1654675260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=22351379, total_slices=1524208, decompressed_slices=371068, duration.command.search.index=11468, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95216, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551620, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 08:01:42.741, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654675200_85195', total_run_time=31.16, event_count=0, result_count=0, available_count=0, scan_count=22350027, drop_count=0, exec_time=1654675249, api_et=1654660800.000000000, api_lt=1654675200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654660800.000000000, search_lt=1654675200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=1, considered_events=22350027, total_slices=1522691, decompressed_slices=370988, duration.command.search.index=12610, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=121758, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550849, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 07:44:20.384, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654674180_84880', total_run_time=20.99, event_count=0, result_count=0, available_count=0, scan_count=3561, drop_count=0, exec_time=1654674218, api_et=1654670580.000000000, api_lt=1654674180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654670580.000000000, search_lt=1654674220.309086000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3036", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_50aaf9ffe97bd618", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=2, considered_events=3561, total_slices=979802, decompressed_slices=904, duration.command.search.index=1135, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4774, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 07:39:13.591, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654673580_84661', total_run_time=326.50, event_count=0, result_count=0, available_count=0, scan_count=41805790, drop_count=0, exec_time=1654673605, api_et=1654669980.000000000, api_lt=1654673580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654669980.000000000, search_lt=1654673607.273137000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2253a3a41cf56aba", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1921, eliminated_buckets=137, considered_events=41805790, total_slices=13886189, decompressed_slices=4068104, duration.command.search.index=14706, invocations.command.search.index.bucketcache.hit=1920, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227171, invocations.command.search.rawdata.bucketcache.hit=289, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 07:16:41.002, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654672560_84293', total_run_time=8.30, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654672571, api_et=1654668360.000000000, api_lt=1654671960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654668960.000000000, search_lt=1654672573.424150000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ac800c5427a503ca", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1106, eliminated_buckets=387, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=710, invocations.command.search.index.bucketcache.hit=1106, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 07:14:41.176, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654672440_84253', total_run_time=5.07, event_count=0, result_count=0, available_count=0, scan_count=14610, drop_count=0, exec_time=1654672463, api_et=1654668840.000000000, api_lt=1654672440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654668840.000000000, search_lt=1654672465.144523000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2912", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=284, considered_events=14620, total_slices=356368, decompressed_slices=2910, duration.command.search.index=1074, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5707, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=136, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=326, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=79, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=222, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 07:11:11.029, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654672260_84188', total_run_time=4.82, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654672264, api_et=1654668660.000000000, api_lt=1654672260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654668660.000000000, search_lt=1654672266.745402000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2853", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7195d65f42eb258b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=51, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 07:09:41.217, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654672140_84143', total_run_time=19.14, event_count=0, result_count=0, available_count=0, scan_count=5256158, drop_count=0, exec_time=1654672146, api_et=1654667940.000000000, api_lt=1654671540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654667940.000000000, search_lt=1654671540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1f25c684d7a6ea27", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=796, eliminated_buckets=388, considered_events=5256158, total_slices=1127818, decompressed_slices=231397, duration.command.search.index=2050, invocations.command.search.index.bucketcache.hit=795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38107, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=85, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 07:08:41.095, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654672020_84124', total_run_time=17.30, event_count=1142, result_count=54, available_count=0, scan_count=361475, drop_count=0, exec_time=1654672080, api_et=1654668420.000000000, api_lt=1654672020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654668420.000000000, search_lt=1654672082.179098000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2864", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=200, considered_events=367302, total_slices=595031, decompressed_slices=125145, duration.command.search.index=3746, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30796, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=291704, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 07:07:41.276, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654672020_84119', total_run_time=6.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654672046, api_et=1654668420.000000000, api_lt=1654672020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654668420.000000000, search_lt=1654672048.375221000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3004", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7adadcb2b73631a3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=881, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:44:24.873, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654670580_83621', total_run_time=21.27, event_count=0, result_count=0, available_count=0, scan_count=3213, drop_count=0, exec_time=1654670618, api_et=1654666980.000000000, api_lt=1654670580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654666980.000000000, search_lt=1654670620.500527000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2930", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bf2416f296db9d91", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3213, total_slices=1034539, decompressed_slices=854, duration.command.search.index=1340, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4661, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:36:35.667, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654669980_83400', total_run_time=187.08, event_count=0, result_count=0, available_count=0, scan_count=41501798, drop_count=0, exec_time=1654670006, api_et=1654666380.000000000, api_lt=1654669980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654666380.000000000, search_lt=1654670008.975651000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e69e82e56700b98e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1894, eliminated_buckets=137, considered_events=41501798, total_slices=13517097, decompressed_slices=4026702, duration.command.search.index=14883, invocations.command.search.index.bucketcache.hit=1892, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=240550, invocations.command.search.rawdata.bucketcache.hit=269, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:16:44.687, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654668960_83004', total_run_time=7.69, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654668970, api_et=1654664760.000000000, api_lt=1654668360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654665360.000000000, search_lt=1654668972.653671000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3518", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f6f0bb171d4e9f89", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1108, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=828, invocations.command.search.index.bucketcache.hit=1108, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:15:22.954, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654668840_82964', total_run_time=5.58, event_count=0, result_count=0, available_count=0, scan_count=14312, drop_count=0, exec_time=1654668863, api_et=1654665240.000000000, api_lt=1654668840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654665240.000000000, search_lt=1654668865.329856000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2911", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=285, considered_events=14325, total_slices=440355, decompressed_slices=3404, duration.command.search.index=1018, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6280, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=145, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=362, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=87, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 06:11:14.528, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654668660_82897', total_run_time=4.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654668664, api_et=1654665060.000000000, api_lt=1654668660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654665060.000000000, search_lt=1654668666.267758000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2822", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_eba6ce0e06596f5d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=49, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:09:53.814, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654668540_82850', total_run_time=20.66, event_count=0, result_count=0, available_count=0, scan_count=5227844, drop_count=0, exec_time=1654668545, api_et=1654664340.000000000, api_lt=1654667940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664340.000000000, search_lt=1654667940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3172", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_06e29ba66df9787b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=794, eliminated_buckets=384, considered_events=5227844, total_slices=1196355, decompressed_slices=238345, duration.command.search.index=2176, invocations.command.search.index.bucketcache.hit=794, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38797, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=159, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 06:08:44.744, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654668420_82829', total_run_time=18.43, event_count=1150, result_count=53, available_count=0, scan_count=368295, drop_count=0, exec_time=1654668480, api_et=1654664820.000000000, api_lt=1654668420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664820.000000000, search_lt=1654668482.481872000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=207, considered_events=372429, total_slices=522425, decompressed_slices=114602, duration.command.search.index=4125, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33348, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=297077, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=33770, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 06:07:44.709, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654668420_82824', total_run_time=7.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654668446, api_et=1654664820.000000000, api_lt=1654668420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654664820.000000000, search_lt=1654668447.847848000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2663", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dddbbe372543ca02", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=207, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1032, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:44:01.719, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654666980_82332', total_run_time=21.44, event_count=0, result_count=0, available_count=0, scan_count=3268, drop_count=0, exec_time=1654667018, api_et=1654663380.000000000, api_lt=1654666980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654663380.000000000, search_lt=1654667019.802166000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2355", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e9559946f58969e3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=3268, total_slices=990338, decompressed_slices=912, duration.command.search.index=1116, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4790, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:38:59.016, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654666380_82113', total_run_time=305.72, event_count=0, result_count=0, available_count=0, scan_count=41303020, drop_count=0, exec_time=1654666405, api_et=1654662780.000000000, api_lt=1654666380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654662780.000000000, search_lt=1654666407.065370000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3735", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c1a2750471841df4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1919, eliminated_buckets=137, considered_events=41303020, total_slices=13858599, decompressed_slices=4007068, duration.command.search.index=14393, invocations.command.search.index.bucketcache.hit=1919, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=232255, invocations.command.search.rawdata.bucketcache.hit=300, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:16:21.266, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654665360_81750', total_run_time=9.11, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654665371, api_et=1654661160.000000000, api_lt=1654664760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661760.000000000, search_lt=1654665372.988459000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3901", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f09a052c488c868b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1105, eliminated_buckets=389, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=676, invocations.command.search.index.bucketcache.hit=1105, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:15:54.222, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654665240_81709', total_run_time=11.99, event_count=0, result_count=0, available_count=0, scan_count=13655, drop_count=0, exec_time=1654665264, api_et=1654661640.000000000, api_lt=1654665240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661640.000000000, search_lt=1654665265.952828000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3094", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=286, considered_events=13655, total_slices=573419, decompressed_slices=3224, duration.command.search.index=1153, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=8042, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=107, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=264, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=62, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 05:11:12.348, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654665060_81643', total_run_time=4.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654665065, api_et=1654661460.000000000, api_lt=1654665060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661460.000000000, search_lt=1654665067.371409000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3023", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_017c5232a193ef24", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=52, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:10:29.550, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654664940_81599', total_run_time=42.01, event_count=0, result_count=0, available_count=0, scan_count=5180051, drop_count=0, exec_time=1654664946, api_et=1654660740.000000000, api_lt=1654664340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654660740.000000000, search_lt=1654664340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3336", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6a66aed9badae036", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=818, eliminated_buckets=403, considered_events=5180051, total_slices=1220670, decompressed_slices=229133, duration.command.search.index=2728, invocations.command.search.index.bucketcache.hit=817, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59287, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:08:42.355, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654664820_81581', total_run_time=28.53, event_count=1132, result_count=55, available_count=0, scan_count=366445, drop_count=0, exec_time=1654664880, api_et=1654661220.000000000, api_lt=1654664820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661220.000000000, search_lt=1654664882.678497000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3112", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=205, considered_events=376453, total_slices=550431, decompressed_slices=99696, duration.command.search.index=10131, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107612, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=296430, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31936, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 05:08:12.272, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654664820_81575', total_run_time=18.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654664846, api_et=1654661220.000000000, api_lt=1654664820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654661220.000000000, search_lt=1654664848.277758000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2976", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1393c53d04b70f6f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=205, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2611, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 05:00:34.646, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664340_81367', total_run_time=16.07, event_count=0, result_count=0, available_count=0, scan_count=22574878, drop_count=0, exec_time=1654664390, api_et=1654649940.000000000, api_lt=1654664340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649940.000000000, search_lt=1654664340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2755", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22574878, total_slices=1277284, decompressed_slices=382907, duration.command.search.index=8329, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60928, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11481780, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:59:04.528, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664280_81354', total_run_time=13.89, event_count=0, result_count=0, available_count=0, scan_count=22581556, drop_count=0, exec_time=1654664329, api_et=1654649880.000000000, api_lt=1654664280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649880.000000000, search_lt=1654664280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22581556, total_slices=1275549, decompressed_slices=383065, duration.command.search.index=8330, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58943, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11483191, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:58:04.487, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664220_81338', total_run_time=13.86, event_count=0, result_count=0, available_count=0, scan_count=22589272, drop_count=0, exec_time=1654664270, api_et=1654649820.000000000, api_lt=1654664220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649820.000000000, search_lt=1654664220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22589272, total_slices=1273863, decompressed_slices=383170, duration.command.search.index=8486, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58347, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11483876, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:57:04.714, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664160_81321', total_run_time=13.62, event_count=0, result_count=0, available_count=0, scan_count=22600432, drop_count=0, exec_time=1654664209, api_et=1654649760.000000000, api_lt=1654664160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649760.000000000, search_lt=1654664160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2635", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22600432, total_slices=1272245, decompressed_slices=383250, duration.command.search.index=8305, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58281, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11485946, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:56:04.534, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664100_81310', total_run_time=14.66, event_count=0, result_count=0, available_count=0, scan_count=22607100, drop_count=0, exec_time=1654664149, api_et=1654649700.000000000, api_lt=1654664100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649700.000000000, search_lt=1654664100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3171", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22607100, total_slices=1270639, decompressed_slices=383373, duration.command.search.index=8497, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57112, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11487900, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:55:25.185, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654664040_81294', total_run_time=13.30, event_count=0, result_count=0, available_count=0, scan_count=22617847, drop_count=0, exec_time=1654664089, api_et=1654649640.000000000, api_lt=1654664040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649640.000000000, search_lt=1654664040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22617847, total_slices=1269045, decompressed_slices=383405, duration.command.search.index=8599, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55809, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11492097, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:54:05.856, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663980_81278', total_run_time=15.96, event_count=0, result_count=0, available_count=0, scan_count=22625981, drop_count=0, exec_time=1654664029, api_et=1654649580.000000000, api_lt=1654663980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649580.000000000, search_lt=1654663980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5084", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22625981, total_slices=1267396, decompressed_slices=383500, duration.command.search.index=8420, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57761, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11492806, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:53:05.974, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663920_81254', total_run_time=15.20, event_count=0, result_count=0, available_count=0, scan_count=22638939, drop_count=0, exec_time=1654663970, api_et=1654649520.000000000, api_lt=1654663920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649520.000000000, search_lt=1654663920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22638939, total_slices=1265766, decompressed_slices=383768, duration.command.search.index=8649, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62553, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11496555, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:52:34.487, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663860_81237', total_run_time=16.20, event_count=0, result_count=0, available_count=0, scan_count=22649038, drop_count=0, exec_time=1654663909, api_et=1654649460.000000000, api_lt=1654663860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649460.000000000, search_lt=1654663860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22649038, total_slices=1264156, decompressed_slices=383825, duration.command.search.index=9705, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64875, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11499653, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:51:35.558, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663800_81212', total_run_time=18.27, event_count=0, result_count=0, available_count=0, scan_count=22661765, drop_count=0, exec_time=1654663849, api_et=1654649400.000000000, api_lt=1654663800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649400.000000000, search_lt=1654663800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3013", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22661765, total_slices=1262581, decompressed_slices=383990, duration.command.search.index=9291, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65969, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11502207, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:50:34.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663740_81176', total_run_time=15.84, event_count=0, result_count=0, available_count=0, scan_count=22672470, drop_count=0, exec_time=1654663790, api_et=1654649340.000000000, api_lt=1654663740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649340.000000000, search_lt=1654663740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2995", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22672470, total_slices=1260877, decompressed_slices=383979, duration.command.search.index=8310, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59493, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11503011, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:49:34.463, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663680_81155', total_run_time=16.36, event_count=0, result_count=0, available_count=0, scan_count=22677769, drop_count=0, exec_time=1654663730, api_et=1654649280.000000000, api_lt=1654663680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649280.000000000, search_lt=1654663680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22677769, total_slices=1259170, decompressed_slices=384115, duration.command.search.index=8758, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64809, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11501727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:48:04.991, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663620_81138', total_run_time=13.35, event_count=0, result_count=0, available_count=0, scan_count=22691797, drop_count=0, exec_time=1654663670, api_et=1654649220.000000000, api_lt=1654663620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649220.000000000, search_lt=1654663620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3264", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22691797, total_slices=1257519, decompressed_slices=384234, duration.command.search.index=8060, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58990, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11504853, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:47:05.282, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663560_81117', total_run_time=13.66, event_count=0, result_count=0, available_count=0, scan_count=22703835, drop_count=0, exec_time=1654663610, api_et=1654649160.000000000, api_lt=1654663560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649160.000000000, search_lt=1654663560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3414", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22703835, total_slices=1255927, decompressed_slices=384255, duration.command.search.index=8040, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58833, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11507359, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:46:34.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663500_81099', total_run_time=16.14, event_count=0, result_count=0, available_count=0, scan_count=22713496, drop_count=0, exec_time=1654663551, api_et=1654649100.000000000, api_lt=1654663500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649100.000000000, search_lt=1654663500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3936", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22713496, total_slices=1254376, decompressed_slices=384424, duration.command.search.index=8319, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61370, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11508474, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:45:34.436, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663440_81076', total_run_time=14.64, event_count=0, result_count=0, available_count=0, scan_count=22722519, drop_count=0, exec_time=1654663490, api_et=1654649040.000000000, api_lt=1654663440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649040.000000000, search_lt=1654663440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3172", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22722519, total_slices=1252641, decompressed_slices=384490, duration.command.search.index=8442, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58249, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11510818, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:44:04.751, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663380_81055', total_run_time=14.08, event_count=0, result_count=0, available_count=0, scan_count=22731798, drop_count=0, exec_time=1654663429, api_et=1654648980.000000000, api_lt=1654663380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648980.000000000, search_lt=1654663380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3240", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22731798, total_slices=1251069, decompressed_slices=384728, duration.command.search.index=8544, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57401, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11512627, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:44:04.406, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654663380_81052', total_run_time=22.66, event_count=0, result_count=0, available_count=0, scan_count=3339, drop_count=0, exec_time=1654663418, api_et=1654659780.000000000, api_lt=1654663380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654659780.000000000, search_lt=1654663420.542647000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2951", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6aa8f2de5766d0d4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=3339, total_slices=1078516, decompressed_slices=881, duration.command.search.index=1143, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4920, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:43:04.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663320_81028', total_run_time=13.75, event_count=0, result_count=0, available_count=0, scan_count=22744871, drop_count=0, exec_time=1654663369, api_et=1654648920.000000000, api_lt=1654663320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648920.000000000, search_lt=1654663320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22744871, total_slices=1249430, decompressed_slices=384886, duration.command.search.index=8461, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60297, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11514578, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:42:34.683, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663260_81005', total_run_time=22.84, event_count=0, result_count=0, available_count=0, scan_count=22756834, drop_count=0, exec_time=1654663309, api_et=1654648860.000000000, api_lt=1654663260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648860.000000000, search_lt=1654663260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2819", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22756834, total_slices=1247955, decompressed_slices=385036, duration.command.search.index=9359, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62667, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11516442, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:41:33.863, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663200_80979', total_run_time=16.73, event_count=0, result_count=0, available_count=0, scan_count=22767837, drop_count=0, exec_time=1654663249, api_et=1654648800.000000000, api_lt=1654663200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648800.000000000, search_lt=1654663200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22767837, total_slices=1246337, decompressed_slices=385312, duration.command.search.index=9221, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62893, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11519182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:41:33.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663080_80925', total_run_time=14.88, event_count=0, result_count=0, available_count=0, scan_count=22788115, drop_count=0, exec_time=1654663130, api_et=1654648680.000000000, api_lt=1654663080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648680.000000000, search_lt=1654663080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22788115, total_slices=1243038, decompressed_slices=385540, duration.command.search.index=8419, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58374, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11524344, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:41:33.341, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663140_80941', total_run_time=15.26, event_count=0, result_count=0, available_count=0, scan_count=22777719, drop_count=0, exec_time=1654663189, api_et=1654648740.000000000, api_lt=1654663140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648740.000000000, search_lt=1654663140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2922", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22777719, total_slices=1244708, decompressed_slices=385364, duration.command.search.index=8399, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59694, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11521443, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:38:25.382, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654662780_80813', total_run_time=291.56, event_count=0, result_count=0, available_count=0, scan_count=41432090, drop_count=0, exec_time=1654662805, api_et=1654659180.000000000, api_lt=1654662780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654659180.000000000, search_lt=1654662807.509246000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d2a3a78a6bc8b3aa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1899, eliminated_buckets=137, considered_events=41432090, total_slices=13660093, decompressed_slices=4018015, duration.command.search.index=14626, invocations.command.search.index.bucketcache.hit=1893, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=223441, invocations.command.search.rawdata.bucketcache.hit=273, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:38:25.365, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654663020_80910', total_run_time=13.06, event_count=0, result_count=0, available_count=0, scan_count=22799692, drop_count=0, exec_time=1654663069, api_et=1654648620.000000000, api_lt=1654663020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648620.000000000, search_lt=1654663020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2844", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22799692, total_slices=1241438, decompressed_slices=385694, duration.command.search.index=8268, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55692, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11526205, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:37:10.818, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662960_80895', total_run_time=14.31, event_count=0, result_count=0, available_count=0, scan_count=22815031, drop_count=0, exec_time=1654663010, api_et=1654648560.000000000, api_lt=1654662960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648560.000000000, search_lt=1654662960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2879", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22815031, total_slices=1239930, decompressed_slices=385899, duration.command.search.index=8205, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58785, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11529780, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:36:44.813, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662780_80827', total_run_time=18.06, event_count=0, result_count=0, available_count=0, scan_count=22845169, drop_count=0, exec_time=1654662829, api_et=1654648380.000000000, api_lt=1654662780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648380.000000000, search_lt=1654662780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22845169, total_slices=1235053, decompressed_slices=386243, duration.command.search.index=9418, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65386, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534576, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:36:44.424, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662900_80885', total_run_time=14.13, event_count=0, result_count=0, available_count=0, scan_count=22827227, drop_count=0, exec_time=1654662950, api_et=1654648500.000000000, api_lt=1654662900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648500.000000000, search_lt=1654662900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2774", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22827227, total_slices=1238256, decompressed_slices=386119, duration.command.search.index=8375, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56798, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11532672, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:36:43.262, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662840_80863', total_run_time=15.02, event_count=0, result_count=0, available_count=0, scan_count=22835520, drop_count=0, exec_time=1654662890, api_et=1654648440.000000000, api_lt=1654662840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648440.000000000, search_lt=1654662840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2759", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22835520, total_slices=1236709, decompressed_slices=386177, duration.command.search.index=8669, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58371, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11534126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:33:22.349, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662720_80791', total_run_time=20.79, event_count=0, result_count=0, available_count=0, scan_count=22857372, drop_count=0, exec_time=1654662770, api_et=1654648320.000000000, api_lt=1654662720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648320.000000000, search_lt=1654662720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3170", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22857372, total_slices=1233412, decompressed_slices=386365, duration.command.search.index=9859, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72696, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11536177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:32:22.331, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662660_80762', total_run_time=16.78, event_count=0, result_count=0, available_count=0, scan_count=22869720, drop_count=0, exec_time=1654662710, api_et=1654648260.000000000, api_lt=1654662660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648260.000000000, search_lt=1654662660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3241", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22869720, total_slices=1231787, decompressed_slices=386531, duration.command.search.index=10067, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67272, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11538420, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:31:22.605, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662600_80733', total_run_time=24.72, event_count=0, result_count=0, available_count=0, scan_count=22878565, drop_count=0, exec_time=1654662650, api_et=1654648200.000000000, api_lt=1654662600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648200.000000000, search_lt=1654662600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22878565, total_slices=1230242, decompressed_slices=386717, duration.command.search.index=11421, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84333, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11540747, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:30:05.543, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662540_80689', total_run_time=13.56, event_count=0, result_count=0, available_count=0, scan_count=22884927, drop_count=0, exec_time=1654662589, api_et=1654648140.000000000, api_lt=1654662540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648140.000000000, search_lt=1654662540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22884927, total_slices=1228460, decompressed_slices=386739, duration.command.search.index=8116, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58737, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11540094, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:30:05.210, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662480_80672', total_run_time=13.84, event_count=0, result_count=0, available_count=0, scan_count=22893942, drop_count=0, exec_time=1654662530, api_et=1654648080.000000000, api_lt=1654662480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648080.000000000, search_lt=1654662480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2830", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=22893942, total_slices=1226796, decompressed_slices=386811, duration.command.search.index=8375, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57949, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11541431, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:28:22.454, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662420_80651', total_run_time=13.94, event_count=0, result_count=0, available_count=0, scan_count=22906219, drop_count=0, exec_time=1654662469, api_et=1654648020.000000000, api_lt=1654662420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648020.000000000, search_lt=1654662420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22906219, total_slices=1225097, decompressed_slices=386936, duration.command.search.index=8517, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59059, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11542143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:27:22.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662360_80633', total_run_time=14.39, event_count=0, result_count=0, available_count=0, scan_count=22916394, drop_count=0, exec_time=1654662409, api_et=1654647960.000000000, api_lt=1654662360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647960.000000000, search_lt=1654662360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22916394, total_slices=1223475, decompressed_slices=387061, duration.command.search.index=8158, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58996, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11542652, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:26:08.403, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662240_80603', total_run_time=16.12, event_count=0, result_count=0, available_count=0, scan_count=22944976, drop_count=0, exec_time=1654662290, api_et=1654647840.000000000, api_lt=1654662240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647840.000000000, search_lt=1654662240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22944976, total_slices=1220117, decompressed_slices=387363, duration.command.search.index=9026, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58741, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11549215, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:26:08.108, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662180_80584', total_run_time=15.28, event_count=0, result_count=0, available_count=0, scan_count=22962584, drop_count=0, exec_time=1654662230, api_et=1654647780.000000000, api_lt=1654662180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647780.000000000, search_lt=1654662180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3228", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22962584, total_slices=1218491, decompressed_slices=387576, duration.command.search.index=8359, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58714, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11552567, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:26:07.314, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662300_80617', total_run_time=14.76, event_count=0, result_count=0, available_count=0, scan_count=22928753, drop_count=0, exec_time=1654662350, api_et=1654647900.000000000, api_lt=1654662300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647900.000000000, search_lt=1654662300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22928753, total_slices=1220854, decompressed_slices=387176, duration.command.search.index=8408, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59898, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11545152, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:23:27.045, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662120_80552', total_run_time=14.60, event_count=0, result_count=0, available_count=0, scan_count=22974448, drop_count=0, exec_time=1654662169, api_et=1654647720.000000000, api_lt=1654662120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647720.000000000, search_lt=1654662120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22974448, total_slices=1216680, decompressed_slices=387693, duration.command.search.index=8180, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58817, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11553864, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:22:27.003, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662060_80536', total_run_time=13.79, event_count=0, result_count=0, available_count=0, scan_count=22991974, drop_count=0, exec_time=1654662109, api_et=1654647660.000000000, api_lt=1654662060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647660.000000000, search_lt=1654662060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22991974, total_slices=1215042, decompressed_slices=387861, duration.command.search.index=8756, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59524, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11556106, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:21:26.973, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654662000_80507', total_run_time=15.45, event_count=0, result_count=0, available_count=0, scan_count=23007112, drop_count=0, exec_time=1654662051, api_et=1654647600.000000000, api_lt=1654662000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647600.000000000, search_lt=1654662000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3376", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23007112, total_slices=1213356, decompressed_slices=388155, duration.command.search.index=8467, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62128, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11558790, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:20:27.276, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661940_80470', total_run_time=15.23, event_count=0, result_count=0, available_count=0, scan_count=23022963, drop_count=0, exec_time=1654661989, api_et=1654647540.000000000, api_lt=1654661940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647540.000000000, search_lt=1654661940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3319", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23022963, total_slices=1211760, decompressed_slices=388192, duration.command.search.index=8578, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60003, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11562814, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:19:27.008, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661880_80445', total_run_time=17.43, event_count=0, result_count=0, available_count=0, scan_count=23038696, drop_count=0, exec_time=1654661930, api_et=1654647480.000000000, api_lt=1654661880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647480.000000000, search_lt=1654661880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3347", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23038696, total_slices=1209942, decompressed_slices=388391, duration.command.search.index=10147, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69980, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11566182, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:18:31.859, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661820_80425', total_run_time=15.59, event_count=0, result_count=0, available_count=0, scan_count=23055153, drop_count=0, exec_time=1654661870, api_et=1654647420.000000000, api_lt=1654661820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647420.000000000, search_lt=1654661820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3567", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23055153, total_slices=1208169, decompressed_slices=388633, duration.command.search.index=8651, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61017, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11569436, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:17:27.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661760_80402', total_run_time=15.65, event_count=0, result_count=0, available_count=0, scan_count=23073809, drop_count=0, exec_time=1654661810, api_et=1654647360.000000000, api_lt=1654661760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647360.000000000, search_lt=1654661760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3102", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23073809, total_slices=1206614, decompressed_slices=388857, duration.command.search.index=8605, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62282, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11572084, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:16:27.188, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654661760_80396', total_run_time=8.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654661771, api_et=1654657560.000000000, api_lt=1654661160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654658160.000000000, search_lt=1654661773.559022000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4136", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6f66d80c301b32a7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1103, eliminated_buckets=386, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=688, invocations.command.search.index.bucketcache.hit=1103, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:16:26.752, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661700_80384', total_run_time=15.49, event_count=0, result_count=0, available_count=0, scan_count=23086380, drop_count=0, exec_time=1654661750, api_et=1654647300.000000000, api_lt=1654661700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647300.000000000, search_lt=1654661700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3070", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23086380, total_slices=1205076, decompressed_slices=389005, duration.command.search.index=8101, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60121, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11574421, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:15:27.028, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661640_80365', total_run_time=14.64, event_count=0, result_count=0, available_count=0, scan_count=23099859, drop_count=0, exec_time=1654661689, api_et=1654647240.000000000, api_lt=1654661640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647240.000000000, search_lt=1654661640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23099859, total_slices=1203395, decompressed_slices=389134, duration.command.search.index=8025, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60556, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11576882, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:14:57.261, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654661640_80352', total_run_time=4.86, event_count=0, result_count=0, available_count=0, scan_count=20227, drop_count=0, exec_time=1654661663, api_et=1654658040.000000000, api_lt=1654661640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654658040.000000000, search_lt=1654661665.296849000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2828", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=282, considered_events=21432, total_slices=722971, decompressed_slices=3706, duration.command.search.index=1093, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5916, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=157, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=444, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=102, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=113, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 04:14:26.971, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661580_80342', total_run_time=14.02, event_count=0, result_count=0, available_count=0, scan_count=23114768, drop_count=0, exec_time=1654661629, api_et=1654647180.000000000, api_lt=1654661580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647180.000000000, search_lt=1654661580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23114768, total_slices=1201639, decompressed_slices=389312, duration.command.search.index=8436, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59441, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11578518, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:13:27.597, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661520_80315', total_run_time=14.54, event_count=0, result_count=0, available_count=0, scan_count=23129053, drop_count=0, exec_time=1654661570, api_et=1654647120.000000000, api_lt=1654661520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647120.000000000, search_lt=1654661520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23129053, total_slices=1199962, decompressed_slices=389490, duration.command.search.index=8204, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61302, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11579764, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:12:26.931, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661460_80296', total_run_time=13.97, event_count=0, result_count=0, available_count=0, scan_count=23147751, drop_count=0, exec_time=1654661509, api_et=1654647060.000000000, api_lt=1654661460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647060.000000000, search_lt=1654661460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2624", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23147751, total_slices=1198167, decompressed_slices=389838, duration.command.search.index=8741, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60772, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11582237, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:11:15.221, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654661460_80279', total_run_time=5.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654661464, api_et=1654657860.000000000, api_lt=1654661460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654657860.000000000, search_lt=1654661466.153860000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2239", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a3a986ee1cdd84c5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=58, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:11:14.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661400_80270', total_run_time=19.68, event_count=0, result_count=0, available_count=0, scan_count=23161194, drop_count=0, exec_time=1654661449, api_et=1654647000.000000000, api_lt=1654661400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647000.000000000, search_lt=1654661400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3217", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=23161194, total_slices=1196687, decompressed_slices=390056, duration.command.search.index=9610, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63118, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11583797, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:10:51.726, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661340_80238', total_run_time=17.05, event_count=0, result_count=0, available_count=0, scan_count=23178094, drop_count=0, exec_time=1654661389, api_et=1654646940.000000000, api_lt=1654661340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646940.000000000, search_lt=1654661340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23178094, total_slices=1195116, decompressed_slices=390187, duration.command.search.index=8795, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60328, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11585988, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:10:50.863, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654661340_80230', total_run_time=19.63, event_count=0, result_count=0, available_count=0, scan_count=5342491, drop_count=0, exec_time=1654661345, api_et=1654657140.000000000, api_lt=1654660740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654657140.000000000, search_lt=1654660740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3541", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_acf246df0bb2a627", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=811, eliminated_buckets=404, considered_events=5342491, total_slices=1185248, decompressed_slices=233890, duration.command.search.index=2154, invocations.command.search.index.bucketcache.hit=811, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36704, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=92, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:09:09.790, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661280_80222', total_run_time=13.61, event_count=0, result_count=0, available_count=0, scan_count=23194730, drop_count=0, exec_time=1654661329, api_et=1654646880.000000000, api_lt=1654661280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646880.000000000, search_lt=1654661280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2912", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23194730, total_slices=1193416, decompressed_slices=390421, duration.command.search.index=8670, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57202, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11588317, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:08:39.898, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654661220_80209', total_run_time=19.17, event_count=1131, result_count=53, available_count=0, scan_count=372454, drop_count=0, exec_time=1654661280, api_et=1654657620.000000000, api_lt=1654661220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654657620.000000000, search_lt=1654661282.073149000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2822", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=202, considered_events=382838, total_slices=549302, decompressed_slices=111823, duration.command.search.index=3655, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30032, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=304512, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 04:08:09.932, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661220_80206', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=23213192, drop_count=0, exec_time=1654661269, api_et=1654646820.000000000, api_lt=1654661220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646820.000000000, search_lt=1654661220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23213192, total_slices=1191655, decompressed_slices=390717, duration.command.search.index=8567, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61699, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11590828, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:07:39.888, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654661220_80201', total_run_time=6.14, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654661246, api_et=1654657620.000000000, api_lt=1654661220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654657620.000000000, search_lt=1654661248.487949000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2810", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_da45ba7ac41f898f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=201, considered_events=1, total_slices=625, decompressed_slices=0, duration.command.search.index=898, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=181, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 04:07:09.838, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661160_80186', total_run_time=13.60, event_count=0, result_count=0, available_count=0, scan_count=23232094, drop_count=0, exec_time=1654661210, api_et=1654646760.000000000, api_lt=1654661160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646760.000000000, search_lt=1654661160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2933", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23232094, total_slices=1190299, decompressed_slices=390895, duration.command.search.index=8520, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61187, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11594298, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:06:25.381, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661100_80171', total_run_time=18.79, event_count=0, result_count=0, available_count=0, scan_count=23247543, drop_count=0, exec_time=1654661150, api_et=1654646700.000000000, api_lt=1654661100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646700.000000000, search_lt=1654661100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3326", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23247543, total_slices=1188603, decompressed_slices=391193, duration.command.search.index=9265, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64494, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11596130, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:05:56.186, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654661040_80152', total_run_time=19.96, event_count=0, result_count=0, available_count=0, scan_count=23267065, drop_count=0, exec_time=1654661090, api_et=1654646640.000000000, api_lt=1654661040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646640.000000000, search_lt=1654661040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=1, considered_events=23267065, total_slices=1186958, decompressed_slices=391435, duration.command.search.index=11152, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80307, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11600815, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:05:55.554, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654660980_80110', total_run_time=20.37, event_count=0, result_count=0, available_count=0, scan_count=23282875, drop_count=0, exec_time=1654661029, api_et=1654646580.000000000, api_lt=1654660980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646580.000000000, search_lt=1654660980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2946", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=23282875, total_slices=1185352, decompressed_slices=391578, duration.command.search.index=12979, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99651, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11603804, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:03:24.939, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654660920_80063', total_run_time=19.55, event_count=0, result_count=0, available_count=0, scan_count=23298633, drop_count=0, exec_time=1654660969, api_et=1654646520.000000000, api_lt=1654660920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646520.000000000, search_lt=1654660920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=23298633, total_slices=1183773, decompressed_slices=391803, duration.command.search.index=10834, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80288, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11605991, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:02:24.662, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654660860_80033', total_run_time=17.33, event_count=0, result_count=0, available_count=0, scan_count=23313614, drop_count=0, exec_time=1654660910, api_et=1654646460.000000000, api_lt=1654660860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646460.000000000, search_lt=1654660860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=23313614, total_slices=1182046, decompressed_slices=391923, duration.command.search.index=9979, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73119, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11608550, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 04:01:25.552, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654660800_80001', total_run_time=28.75, event_count=0, result_count=0, available_count=0, scan_count=23305801, drop_count=0, exec_time=1654660849, api_et=1654646400.000000000, api_lt=1654660800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646400.000000000, search_lt=1654660800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=23305801, total_slices=1180387, decompressed_slices=391578, duration.command.search.index=12173, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103157, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11590433, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 03:44:24.752, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654659780_79663', total_run_time=21.49, event_count=0, result_count=0, available_count=0, scan_count=3622, drop_count=0, exec_time=1654659818, api_et=1654656180.000000000, api_lt=1654659780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654656180.000000000, search_lt=1654659820.531317000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2831", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_768259cb71189ed5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=3622, total_slices=1001944, decompressed_slices=857, duration.command.search.index=1233, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5055, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 03:38:08.235, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654659180_79441', total_run_time=275.57, event_count=0, result_count=0, available_count=0, scan_count=41358027, drop_count=0, exec_time=1654659205, api_et=1654655580.000000000, api_lt=1654659180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654655580.000000000, search_lt=1654659207.261771000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_76343e6a46799c8a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1936, eliminated_buckets=137, considered_events=41358027, total_slices=13868200, decompressed_slices=3998767, duration.command.search.index=14260, invocations.command.search.index.bucketcache.hit=1935, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=221944, invocations.command.search.rawdata.bucketcache.hit=306, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 03:16:23.646, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654658160_79069', total_run_time=10.00, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654658171, api_et=1654653960.000000000, api_lt=1654657560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654654560.000000000, search_lt=1654658173.350370000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9dfce6293602a76c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1106, eliminated_buckets=386, considered_events=1, total_slices=7825, decompressed_slices=1, duration.command.search.index=745, invocations.command.search.index.bucketcache.hit=1106, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=124, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 03:14:43.493, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654658040_79028', total_run_time=4.44, event_count=0, result_count=0, available_count=0, scan_count=14869, drop_count=0, exec_time=1654658063, api_et=1654654440.000000000, api_lt=1654658040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654654440.000000000, search_lt=1654658065.068115000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=284, considered_events=14880, total_slices=824792, decompressed_slices=3682, duration.command.search.index=1069, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5966, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=57, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=148, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=381, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=87, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=126, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 03:11:22.218, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654657860_78963', total_run_time=5.47, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654657865, api_et=1654654260.000000000, api_lt=1654657860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654654260.000000000, search_lt=1654657867.156959000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_965706aa9266bd9b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=40, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 03:09:29.155, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654657740_78914', total_run_time=16.56, event_count=0, result_count=0, available_count=0, scan_count=4617704, drop_count=0, exec_time=1654657745, api_et=1654653540.000000000, api_lt=1654657140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654653540.000000000, search_lt=1654657140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3040", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a30b00cdf18aa5dc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=807, eliminated_buckets=400, considered_events=4617704, total_slices=1126524, decompressed_slices=219268, duration.command.search.index=1983, invocations.command.search.index.bucketcache.hit=806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34925, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=96, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 03:08:52.279, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654657620_78895', total_run_time=25.58, event_count=1155, result_count=53, available_count=0, scan_count=380771, drop_count=0, exec_time=1654657680, api_et=1654654020.000000000, api_lt=1654657620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654654020.000000000, search_lt=1654657682.385214000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=196, considered_events=386390, total_slices=548196, decompressed_slices=108764, duration.command.search.index=3392, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31520, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=309927, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32890, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 03:07:52.122, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654657620_78890', total_run_time=11.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654657646, api_et=1654654020.000000000, api_lt=1654657620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654654020.000000000, search_lt=1654657653.165737000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="7713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f197c42205dd397e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=196, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=804, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:45:06.155, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654656180_78379', total_run_time=30.42, event_count=0, result_count=0, available_count=0, scan_count=3475, drop_count=0, exec_time=1654656218, api_et=1654652580.000000000, api_lt=1654656180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654652580.000000000, search_lt=1654656219.872070000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2437", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9f0388fac96a8f34", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=3475, total_slices=869433, decompressed_slices=899, duration.command.search.index=1301, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4942, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:40:59.102, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654655580_78157', total_run_time=39.35, event_count=0, result_count=0, available_count=0, scan_count=41400211, drop_count=0, exec_time=1654655605, api_et=1654651980.000000000, api_lt=1654655580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654651980.000000000, search_lt=1654655607.315123000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3370", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ef8d7b19879fad3e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1899, eliminated_buckets=137, considered_events=41400211, total_slices=13674940, decompressed_slices=4034947, duration.command.search.index=14468, invocations.command.search.index.bucketcache.hit=1899, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229371, invocations.command.search.rawdata.bucketcache.hit=275, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:20:41.942, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654654560_77783', total_run_time=12.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654654571, api_et=1654650360.000000000, api_lt=1654653960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654650960.000000000, search_lt=1654654573.356106000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d25f2a765f4f6d7c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1105, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=880, invocations.command.search.index.bucketcache.hit=1105, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:20:41.520, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654654440_77743', total_run_time=6.69, event_count=0, result_count=0, available_count=0, scan_count=15692, drop_count=0, exec_time=1654654463, api_et=1654650840.000000000, api_lt=1654654440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654650840.000000000, search_lt=1654654464.881680000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=288, considered_events=15692, total_slices=864724, decompressed_slices=3424, duration.command.search.index=1285, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6559, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=239, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=767, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=157, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 02:11:38.080, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654654260_77677', total_run_time=6.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654654265, api_et=1654650660.000000000, api_lt=1654654260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654650660.000000000, search_lt=1654654267.685919000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bcceef99410aa28c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=43, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:09:39.006, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654654140_77631', total_run_time=23.52, event_count=0, result_count=0, available_count=0, scan_count=5016476, drop_count=0, exec_time=1654654145, api_et=1654649940.000000000, api_lt=1654653540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654649940.000000000, search_lt=1654653540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3205", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c32f82ea604914ae", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=811, eliminated_buckets=397, considered_events=5016476, total_slices=1132642, decompressed_slices=231519, duration.command.search.index=2423, invocations.command.search.index.bucketcache.hit=809, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39773, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=101, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:09:38.932, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654654020_77607', total_run_time=11.52, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654654046, api_et=1654650420.000000000, api_lt=1654654020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654650420.000000000, search_lt=1654654048.402338000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2789", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_95455ae3f58dd8cd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=192, considered_events=1, total_slices=11858, decompressed_slices=0, duration.command.search.index=1115, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=126, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 02:09:38.580, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654654020_77612', total_run_time=28.65, event_count=2248, result_count=94, available_count=0, scan_count=472292, drop_count=0, exec_time=1654654080, api_et=1654650420.000000000, api_lt=1654654020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654650420.000000000, search_lt=1654654082.418825000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=192, considered_events=479995, total_slices=627041, decompressed_slices=124855, duration.command.search.index=5873, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=48811, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=386569, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40786, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 01:45:40.583, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654652580_77107', total_run_time=67.61, event_count=0, result_count=0, available_count=0, scan_count=3543, drop_count=0, exec_time=1654652618, api_et=1654648980.000000000, api_lt=1654652580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648980.000000000, search_lt=1654652620.764500000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_543ce31ddef868cd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=3543, total_slices=805953, decompressed_slices=1067, duration.command.search.index=1288, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5331, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:37:42.774, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654651980_76881', total_run_time=213.69, event_count=0, result_count=0, available_count=0, scan_count=41801683, drop_count=0, exec_time=1654652005, api_et=1654648380.000000000, api_lt=1654651980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654648380.000000000, search_lt=1654652007.599428000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3931", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a71005172c9d419e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1931, eliminated_buckets=137, considered_events=41801683, total_slices=13862247, decompressed_slices=4076395, duration.command.search.index=15136, invocations.command.search.index.bucketcache.hit=1930, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=270079, invocations.command.search.rawdata.bucketcache.hit=310, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:16:32.411, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654650960_76515', total_run_time=7.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654650971, api_et=1654646760.000000000, api_lt=1654650360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647360.000000000, search_lt=1654650973.096139000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3929", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_88e71087478aa28c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1104, eliminated_buckets=383, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=683, invocations.command.search.index.bucketcache.hit=1104, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:14:31.491, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654650840_76475', total_run_time=7.00, event_count=0, result_count=0, available_count=0, scan_count=23551, drop_count=0, exec_time=1654650863, api_et=1654647240.000000000, api_lt=1654650840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647240.000000000, search_lt=1654650865.007591000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2887", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=291, considered_events=24515, total_slices=807465, decompressed_slices=4492, duration.command.search.index=1616, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7269, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=266, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1011, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=154, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=439, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 01:11:31.741, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654650660_76410', total_run_time=6.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654650666, api_et=1654647060.000000000, api_lt=1654650660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654647060.000000000, search_lt=1654650668.009341000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9cb72d91edb03098", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=40, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:09:58.017, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654650540_76365', total_run_time=19.36, event_count=0, result_count=0, available_count=0, scan_count=4973399, drop_count=0, exec_time=1654650545, api_et=1654646340.000000000, api_lt=1654649940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646340.000000000, search_lt=1654649940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3247", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b3698d354c8820bb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=812, eliminated_buckets=400, considered_events=4973399, total_slices=1047857, decompressed_slices=231034, duration.command.search.index=2170, invocations.command.search.index.bucketcache.hit=806, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37322, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:09:57.304, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654650420_76341', total_run_time=8.87, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654650446, api_et=1654646820.000000000, api_lt=1654650420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646820.000000000, search_lt=1654650448.678842000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2948", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ec2e0f025105eae8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=188, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=973, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 01:09:56.999, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654650420_76352', total_run_time=21.05, event_count=1841, result_count=101, available_count=0, scan_count=493307, drop_count=0, exec_time=1654650484, api_et=1654646820.000000000, api_lt=1654650420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654646820.000000000, search_lt=1654650486.772003000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2967", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=188, considered_events=499729, total_slices=683591, decompressed_slices=134591, duration.command.search.index=4684, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=44563, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=402644, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41550, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 01:01:09.422, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649940_76137', total_run_time=51.99, event_count=0, result_count=0, available_count=0, scan_count=27938455, drop_count=0, exec_time=1654649991, api_et=1654635540.000000000, api_lt=1654649940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635540.000000000, search_lt=1654649940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3336", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=27938455, total_slices=1102669, decompressed_slices=435975, duration.command.search.index=11822, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110042, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12539288, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:59:39.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649880_76124', total_run_time=27.37, event_count=0, result_count=0, available_count=0, scan_count=27966532, drop_count=0, exec_time=1654649929, api_et=1654635480.000000000, api_lt=1654649880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635480.000000000, search_lt=1654649880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3271", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=27966532, total_slices=1100789, decompressed_slices=436254, duration.command.search.index=11113, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83690, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12543483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:58:39.220, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649820_76107', total_run_time=33.64, event_count=0, result_count=0, available_count=0, scan_count=27997722, drop_count=0, exec_time=1654649870, api_et=1654635420.000000000, api_lt=1654649820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635420.000000000, search_lt=1654649820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=0, considered_events=27997722, total_slices=1099014, decompressed_slices=436599, duration.command.search.index=12583, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91447, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12548387, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:57:42.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649760_76088', total_run_time=23.04, event_count=0, result_count=0, available_count=0, scan_count=28030234, drop_count=0, exec_time=1654649809, api_et=1654635360.000000000, api_lt=1654649760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635360.000000000, search_lt=1654649760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2599", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=28030234, total_slices=1123787, decompressed_slices=437044, duration.command.search.index=11020, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78754, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12551941, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:56:39.447, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649700_76077', total_run_time=28.84, event_count=0, result_count=0, available_count=0, scan_count=28065882, drop_count=0, exec_time=1654649749, api_et=1654635300.000000000, api_lt=1654649700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635300.000000000, search_lt=1654649700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2762", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=0, considered_events=28065882, total_slices=1122072, decompressed_slices=437326, duration.command.search.index=11121, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84642, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12557530, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:55:39.167, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649640_76058', total_run_time=30.22, event_count=0, result_count=0, available_count=0, scan_count=28096186, drop_count=0, exec_time=1654649688, api_et=1654635240.000000000, api_lt=1654649640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635240.000000000, search_lt=1654649640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2615", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28096186, total_slices=1146590, decompressed_slices=437745, duration.command.search.index=11743, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84957, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12561036, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:54:39.464, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649580_76042', total_run_time=30.88, event_count=0, result_count=0, available_count=0, scan_count=28127205, drop_count=0, exec_time=1654649629, api_et=1654635180.000000000, api_lt=1654649580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635180.000000000, search_lt=1654649580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3150", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28127205, total_slices=1144809, decompressed_slices=438057, duration.command.search.index=11739, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86028, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12566787, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:53:42.470, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649520_76017', total_run_time=37.26, event_count=0, result_count=0, available_count=0, scan_count=28153610, drop_count=0, exec_time=1654649570, api_et=1654635120.000000000, api_lt=1654649520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635120.000000000, search_lt=1654649520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28153610, total_slices=1142954, decompressed_slices=438378, duration.command.search.index=14537, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111673, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12569650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:51:56.399, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649400_75977', total_run_time=59.57, event_count=0, result_count=0, available_count=0, scan_count=28214749, drop_count=0, exec_time=1654649451, api_et=1654635000.000000000, api_lt=1654649400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635000.000000000, search_lt=1654649400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3604", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28214749, total_slices=1139740, decompressed_slices=439065, duration.command.search.index=14790, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114332, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12577102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:50:56.255, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649340_75940', total_run_time=40.89, event_count=0, result_count=0, available_count=0, scan_count=28243429, drop_count=0, exec_time=1654649389, api_et=1654634940.000000000, api_lt=1654649340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634940.000000000, search_lt=1654649340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3166", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28243429, total_slices=1137746, decompressed_slices=439377, duration.command.search.index=13062, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114590, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12580997, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:49:56.823, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649280_75918', total_run_time=38.91, event_count=0, result_count=0, available_count=0, scan_count=28275219, drop_count=0, exec_time=1654649330, api_et=1654634880.000000000, api_lt=1654649280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634880.000000000, search_lt=1654649280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3055", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28275219, total_slices=1136028, decompressed_slices=439692, duration.command.search.index=12925, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105964, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12586467, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:49:55.147, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649100_75860', total_run_time=74.49, event_count=0, result_count=0, available_count=0, scan_count=28371613, drop_count=0, exec_time=1654649150, api_et=1654634700.000000000, api_lt=1654649100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634700.000000000, search_lt=1654649100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3140", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28371613, total_slices=1130688, decompressed_slices=440623, duration.command.search.index=13134, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113978, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12602465, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:49:53.371, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649220_75901', total_run_time=41.19, event_count=0, result_count=0, available_count=0, scan_count=28304744, drop_count=0, exec_time=1654649270, api_et=1654634820.000000000, api_lt=1654649220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634820.000000000, search_lt=1654649220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3455", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28304744, total_slices=1134187, decompressed_slices=439977, duration.command.search.index=12290, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=94194, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12590340, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:45:45.492, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654649040_75837', total_run_time=41.84, event_count=0, result_count=0, available_count=0, scan_count=28405603, drop_count=0, exec_time=1654649089, api_et=1654634640.000000000, api_lt=1654649040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634640.000000000, search_lt=1654649040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28405603, total_slices=1128993, decompressed_slices=440935, duration.command.search.index=14449, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127700, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12607802, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:44:42.063, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654648980_75813', total_run_time=55.52, event_count=0, result_count=0, available_count=0, scan_count=3289, drop_count=0, exec_time=1654649018, api_et=1654645380.000000000, api_lt=1654648980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654645380.000000000, search_lt=1654649020.672821000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2915", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_14b1b2da406aed4a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=3289, total_slices=762682, decompressed_slices=1417, duration.command.search.index=3497, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=8766, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:44:40.979, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648980_75816', total_run_time=48.08, event_count=0, result_count=0, available_count=0, scan_count=28438951, drop_count=0, exec_time=1654649029, api_et=1654634580.000000000, api_lt=1654648980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634580.000000000, search_lt=1654648980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3089", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28438951, total_slices=1127209, decompressed_slices=441255, duration.command.search.index=15425, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130671, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12614411, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:44:40.259, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648920_75788', total_run_time=44.53, event_count=0, result_count=0, available_count=0, scan_count=28466338, drop_count=0, exec_time=1654648969, api_et=1654634520.000000000, api_lt=1654648920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634520.000000000, search_lt=1654648920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28466338, total_slices=1125554, decompressed_slices=441467, duration.command.search.index=15301, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=138769, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12617493, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:44:39.491, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648860_75765', total_run_time=34.75, event_count=0, result_count=0, available_count=0, scan_count=28495790, drop_count=0, exec_time=1654648909, api_et=1654634460.000000000, api_lt=1654648860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634460.000000000, search_lt=1654648860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28495790, total_slices=1123713, decompressed_slices=441786, duration.command.search.index=12691, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95557, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12622734, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:41:58.221, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648800_75739', total_run_time=45.07, event_count=0, result_count=0, available_count=0, scan_count=28526822, drop_count=0, exec_time=1654648849, api_et=1654634400.000000000, api_lt=1654648800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634400.000000000, search_lt=1654648800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28526822, total_slices=1122108, decompressed_slices=442097, duration.command.search.index=13627, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106618, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12626190, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:40:58.076, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648740_75705', total_run_time=40.92, event_count=0, result_count=0, available_count=0, scan_count=28559525, drop_count=0, exec_time=1654648790, api_et=1654634340.000000000, api_lt=1654648740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634340.000000000, search_lt=1654648740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28559525, total_slices=1146403, decompressed_slices=442435, duration.command.search.index=12597, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110647, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12631899, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:39:44.168, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648680_75689', total_run_time=26.60, event_count=0, result_count=0, available_count=0, scan_count=28586302, drop_count=0, exec_time=1654648729, api_et=1654634280.000000000, api_lt=1654648680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634280.000000000, search_lt=1654648680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2798", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28586302, total_slices=1144506, decompressed_slices=442631, duration.command.search.index=10978, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88032, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12637454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:39:14.105, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648620_75674', total_run_time=33.70, event_count=0, result_count=0, available_count=0, scan_count=28615728, drop_count=0, exec_time=1654648670, api_et=1654634220.000000000, api_lt=1654648620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634220.000000000, search_lt=1654648620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=123, eliminated_buckets=0, considered_events=28615728, total_slices=1142797, decompressed_slices=442870, duration.command.search.index=12152, invocations.command.search.index.bucketcache.hit=123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91496, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12641925, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:39:13.362, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648560_75659', total_run_time=30.61, event_count=0, result_count=0, available_count=0, scan_count=28646068, drop_count=0, exec_time=1654648610, api_et=1654634160.000000000, api_lt=1654648560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634160.000000000, search_lt=1654648560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=28646068, total_slices=1166966, decompressed_slices=443102, duration.command.search.index=11218, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92220, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12646997, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:36:38.225, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648500_75649', total_run_time=41.61, event_count=0, result_count=0, available_count=0, scan_count=28676531, drop_count=0, exec_time=1654648550, api_et=1654634100.000000000, api_lt=1654648500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634100.000000000, search_lt=1654648500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=28676531, total_slices=1165152, decompressed_slices=443483, duration.command.search.index=13475, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108369, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12653447, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:36:07.619, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648440_75627', total_run_time=56.69, event_count=0, result_count=0, available_count=0, scan_count=28704492, drop_count=0, exec_time=1654648489, api_et=1654634040.000000000, api_lt=1654648440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634040.000000000, search_lt=1654648440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=28704492, total_slices=1189023, decompressed_slices=443687, duration.command.search.index=14084, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=115799, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12657073, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:35:08.299, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654648380_75581', total_run_time=89.05, event_count=0, result_count=0, available_count=0, scan_count=41747151, drop_count=0, exec_time=1654648406, api_et=1654644780.000000000, api_lt=1654648380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654644780.000000000, search_lt=1654648408.814465000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4030", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2314e084a5263a44", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1936, eliminated_buckets=137, considered_events=41747151, total_slices=13872255, decompressed_slices=4064118, duration.command.search.index=15485, invocations.command.search.index.bucketcache.hit=1935, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=259094, invocations.command.search.rawdata.bucketcache.hit=298, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:34:09.959, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648320_75556', total_run_time=78.95, event_count=0, result_count=0, available_count=0, scan_count=28741063, drop_count=0, exec_time=1654648369, api_et=1654633920.000000000, api_lt=1654648320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633920.000000000, search_lt=1654648320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3359", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=28741063, total_slices=1186010, decompressed_slices=444074, duration.command.search.index=22011, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=187519, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12668873, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:32:07.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648200_75501', total_run_time=63.15, event_count=0, result_count=0, available_count=0, scan_count=28791011, drop_count=0, exec_time=1654648250, api_et=1654633800.000000000, api_lt=1654648200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633800.000000000, search_lt=1654648200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=28791011, total_slices=1182633, decompressed_slices=444690, duration.command.search.index=24603, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=249117, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12679500, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:30:38.379, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648140_75459', total_run_time=42.48, event_count=0, result_count=0, available_count=0, scan_count=28821355, drop_count=0, exec_time=1654648190, api_et=1654633740.000000000, api_lt=1654648140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633740.000000000, search_lt=1654648140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2989", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=28821355, total_slices=1180572, decompressed_slices=445007, duration.command.search.index=12326, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116502, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12685032, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:29:37.196, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648080_75444', total_run_time=30.12, event_count=0, result_count=0, available_count=0, scan_count=28841543, drop_count=0, exec_time=1654648130, api_et=1654633680.000000000, api_lt=1654648080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633680.000000000, search_lt=1654648080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=28841543, total_slices=1178861, decompressed_slices=445206, duration.command.search.index=11430, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90940, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12689455, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:28:37.058, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654648020_75430', total_run_time=42.37, event_count=0, result_count=0, available_count=0, scan_count=28863067, drop_count=0, exec_time=1654648070, api_et=1654633620.000000000, api_lt=1654648020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633620.000000000, search_lt=1654648020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=28863067, total_slices=1203190, decompressed_slices=445421, duration.command.search.index=12458, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=100704, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12694199, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:27:37.096, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647960_75411', total_run_time=27.92, event_count=0, result_count=0, available_count=0, scan_count=28895636, drop_count=0, exec_time=1654648009, api_et=1654633560.000000000, api_lt=1654647960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633560.000000000, search_lt=1654647960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2806", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=28895636, total_slices=1201444, decompressed_slices=445650, duration.command.search.index=11764, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89419, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12699419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:26:37.116, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647900_75395', total_run_time=39.38, event_count=0, result_count=0, available_count=0, scan_count=28921727, drop_count=0, exec_time=1654647949, api_et=1654633500.000000000, api_lt=1654647900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633500.000000000, search_lt=1654647900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2691", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=28921727, total_slices=1199688, decompressed_slices=445981, duration.command.search.index=12890, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95679, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12704601, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:25:37.002, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647840_75381', total_run_time=47.40, event_count=0, result_count=0, available_count=0, scan_count=28949170, drop_count=0, exec_time=1654647889, api_et=1654633440.000000000, api_lt=1654647840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633440.000000000, search_lt=1654647840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=28949170, total_slices=1197772, decompressed_slices=446263, duration.command.search.index=13452, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107367, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12710539, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:25:07.319, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647780_75362', total_run_time=56.64, event_count=0, result_count=0, available_count=0, scan_count=28968725, drop_count=0, exec_time=1654647829, api_et=1654633380.000000000, api_lt=1654647780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633380.000000000, search_lt=1654647780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2804", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=28968725, total_slices=1196086, decompressed_slices=446357, duration.command.search.index=14579, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108874, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12714769, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:23:37.346, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654647600_75290', total_run_time=130.21, event_count=12729080, result_count=15, available_count=0, scan_count=29043173, drop_count=0, exec_time=1654647659, api_et=1654633200.000000000, api_lt=1654647600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633200.000000000, search_lt=1654647600.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="3166", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=29043173, total_slices=1190994, decompressed_slices=447161, duration.command.search.index=19850, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=157719, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12729080, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:23:37.106, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647660_75316', total_run_time=80.84, event_count=0, result_count=0, available_count=0, scan_count=29016116, drop_count=0, exec_time=1654647709, api_et=1654633260.000000000, api_lt=1654647660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633260.000000000, search_lt=1654647660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=29016116, total_slices=1192673, decompressed_slices=446891, duration.command.search.index=17502, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127085, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12724538, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:21:11.274, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647480_75224', total_run_time=137.38, event_count=0, result_count=0, available_count=0, scan_count=29090611, drop_count=0, exec_time=1654647530, api_et=1654633080.000000000, api_lt=1654647480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633080.000000000, search_lt=1654647480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=29090611, total_slices=1186854, decompressed_slices=447627, duration.command.search.index=19806, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=170484, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12738392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:18:37.014, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647360_75180', total_run_time=105.45, event_count=0, result_count=0, available_count=0, scan_count=29137882, drop_count=0, exec_time=1654647410, api_et=1654632960.000000000, api_lt=1654647360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632960.000000000, search_lt=1654647360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3366", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=29137882, total_slices=1183311, decompressed_slices=447995, duration.command.search.index=17761, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=165039, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12748754, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:16:37.531, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654647360_75174', total_run_time=10.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654647371, api_et=1654643160.000000000, api_lt=1654646760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654643760.000000000, search_lt=1654647373.174909000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3812", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ea8bf8bc28214fd2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1103, eliminated_buckets=383, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=797, invocations.command.search.index.bucketcache.hit=1103, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:16:37.052, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647240_75145', total_run_time=100.16, event_count=0, result_count=0, available_count=0, scan_count=29192456, drop_count=0, exec_time=1654647290, api_et=1654632840.000000000, api_lt=1654647240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632840.000000000, search_lt=1654647240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=29192456, total_slices=1179460, decompressed_slices=448559, duration.command.search.index=13696, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114659, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12762419, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:15:07.349, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654647240_75132', total_run_time=21.72, event_count=0, result_count=0, available_count=0, scan_count=16117, drop_count=0, exec_time=1654647264, api_et=1654643640.000000000, api_lt=1654647240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654643640.000000000, search_lt=1654647265.958869000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3069", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=402, eliminated_buckets=287, considered_events=16266, total_slices=723765, decompressed_slices=4404, duration.command.search.index=1494, invocations.command.search.index.bucketcache.hit=402, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7734, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=60, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=377, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=975, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=233, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=270, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-08-2022 00:14:07.245, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654647060_75078', total_run_time=121.07, event_count=0, result_count=0, available_count=0, scan_count=29263320, drop_count=0, exec_time=1654647110, api_et=1654632660.000000000, api_lt=1654647060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632660.000000000, search_lt=1654647060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3291", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=29263320, total_slices=1226915, decompressed_slices=448974, duration.command.search.index=19577, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=143638, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12776678, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:13:07.075, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654646400_74935', total_run_time=498.25, event_count=2696, result_count=2695, available_count=0, scan_count=1756781, drop_count=0, exec_time=1654646688, api_et=1654560000.000000000, api_lt=1654646400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654646400.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_4e8b2863608c057a", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4774, considered_events=1756781, total_slices=14095627, decompressed_slices=1089749, duration.command.search.index=1669006, invocations.command.search.index.bucketcache.hit=27695, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=2743, duration.command.search.index.bucketcache.miss=759424, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=429196, invocations.command.search.rawdata.bucketcache.hit=20604, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=997, duration.command.search.rawdata.bucketcache.miss=576607, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-08-2022 00:11:37.844, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654647060_75061', total_run_time=5.93, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654647065, api_et=1654643460.000000000, api_lt=1654647060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654643460.000000000, search_lt=1654647067.802959000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2970", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f135d3f6cb3004d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=44, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:11:09.038, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654646880_75002', total_run_time=120.69, event_count=0, result_count=0, available_count=0, scan_count=29340335, drop_count=0, exec_time=1654646930, api_et=1654632480.000000000, api_lt=1654646880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632480.000000000, search_lt=1654646880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2744", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=29340335, total_slices=1221520, decompressed_slices=449596, duration.command.search.index=19094, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=142398, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12794951, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:10:27.460, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654646940_75010', total_run_time=72.88, event_count=0, result_count=0, available_count=0, scan_count=4975991, drop_count=0, exec_time=1654646946, api_et=1654642740.000000000, api_lt=1654646340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654642740.000000000, search_lt=1654646340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3250", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4e28331a9b78fc31", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=807, eliminated_buckets=402, considered_events=4975991, total_slices=1055074, decompressed_slices=232465, duration.command.search.index=2529, invocations.command.search.index.bucketcache.hit=807, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=44934, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=140, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:10:07.923, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654646820_74988', total_run_time=42.22, event_count=1201, result_count=87, available_count=0, scan_count=473360, drop_count=0, exec_time=1654646880, api_et=1654643220.000000000, api_lt=1654646820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654643220.000000000, search_lt=1654646882.514101000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=401, eliminated_buckets=187, considered_events=478531, total_slices=608293, decompressed_slices=132453, duration.command.search.index=8015, invocations.command.search.index.bucketcache.hit=401, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64704, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=7, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=382285, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=35802, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-08-2022 00:10:07.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654646700_74952', total_run_time=140.40, event_count=0, result_count=0, available_count=0, scan_count=29421373, drop_count=0, exec_time=1654646750, api_et=1654632300.000000000, api_lt=1654646700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632300.000000000, search_lt=1654646700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3250", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=29421373, total_slices=1242051, decompressed_slices=450332, duration.command.search.index=22065, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=192768, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12811608, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:10:07.552, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654646820_74981', total_run_time=30.99, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654646846, api_et=1654643220.000000000, api_lt=1654646820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654643220.000000000, search_lt=1654646848.503527000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_00025c63cb212692", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=401, eliminated_buckets=187, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1793, invocations.command.search.index.bucketcache.hit=401, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-08-2022 00:05:50.801, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654646520_74842', total_run_time=167.78, event_count=0, result_count=0, available_count=0, scan_count=29496322, drop_count=0, exec_time=1654646570, api_et=1654632120.000000000, api_lt=1654646520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632120.000000000, search_lt=1654646520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2710", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=29496322, total_slices=1236663, decompressed_slices=451221, duration.command.search.index=34092, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=325214, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12828323, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:05:22.940, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654646400_74775', total_run_time=105.26, event_count=0, result_count=0, available_count=0, scan_count=29580567, drop_count=0, exec_time=1654646450, api_et=1654632000.000000000, api_lt=1654646400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632000.000000000, search_lt=1654646400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=29580567, total_slices=1259228, decompressed_slices=452452, duration.command.search.index=32322, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=288556, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12861774, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-08-2022 00:02:03.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654646400_74771', total_run_time=62.76, event_count=0, result_count=101, available_count=0, scan_count=0, drop_count=0, exec_time=1654646433, api_et=1654644600.000000000, api_lt=1654646400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654644600.000000000, search_lt=1654646400.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63673", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-07-2022 23:44:48.454, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654645380_74458', total_run_time=43.42, event_count=0, result_count=0, available_count=0, scan_count=3993, drop_count=0, exec_time=1654645417, api_et=1654641780.000000000, api_lt=1654645380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654641780.000000000, search_lt=1654645419.511467000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_17675c5135f62834", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=3993, total_slices=686761, decompressed_slices=1571, duration.command.search.index=1421, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5999, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 23:37:08.816, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654644780_74238', total_run_time=199.02, event_count=0, result_count=0, available_count=0, scan_count=41663358, drop_count=0, exec_time=1654644805, api_et=1654641180.000000000, api_lt=1654644780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654641180.000000000, search_lt=1654644807.467389000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3975", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_031b714457898b6d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1959, eliminated_buckets=137, considered_events=41663358, total_slices=13644823, decompressed_slices=4002459, duration.command.search.index=16347, invocations.command.search.index.bucketcache.hit=1957, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=234476, invocations.command.search.rawdata.bucketcache.hit=288, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 23:16:45.231, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654643760_73873', total_run_time=9.50, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654643771, api_et=1654639560.000000000, api_lt=1654643160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654640160.000000000, search_lt=1654643773.598521000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3817", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_088bbec1d7339583", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1104, eliminated_buckets=381, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=800, invocations.command.search.index.bucketcache.hit=1104, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 23:14:45.196, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654643640_73832', total_run_time=9.32, event_count=0, result_count=0, available_count=0, scan_count=19886, drop_count=0, exec_time=1654643663, api_et=1654640040.000000000, api_lt=1654643640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654640040.000000000, search_lt=1654643665.530996000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2901", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=402, eliminated_buckets=287, considered_events=20446, total_slices=614810, decompressed_slices=5127, duration.command.search.index=1660, invocations.command.search.index.bucketcache.hit=402, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7611, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=69, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=460, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1182, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=274, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=353, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=11, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 23:11:15.410, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654643460_73767', total_run_time=5.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654643465, api_et=1654639860.000000000, api_lt=1654643460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654639860.000000000, search_lt=1654643467.108872000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2930", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f403fd2dae502769", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=32, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 23:09:45.433, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654643220_73699', total_run_time=14.40, event_count=0, result_count=0, available_count=0, scan_count=3, drop_count=0, exec_time=1654643246, api_et=1654639620.000000000, api_lt=1654643220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654639620.000000000, search_lt=1654643248.331610000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2832", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_aa26d948b8b28979", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=401, eliminated_buckets=187, considered_events=3, total_slices=23803, decompressed_slices=2, duration.command.search.index=1549, invocations.command.search.index.bucketcache.hit=401, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=1142, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 23:09:45.091, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654643220_73704', total_run_time=31.28, event_count=1214, result_count=57, available_count=0, scan_count=506796, drop_count=0, exec_time=1654643280, api_et=1654639620.000000000, api_lt=1654643220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654639620.000000000, search_lt=1654643282.625240000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3241", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=401, eliminated_buckets=187, considered_events=512600, total_slices=534224, decompressed_slices=139062, duration.command.search.index=5834, invocations.command.search.index.bucketcache.hit=401, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58011, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=10, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=406678, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=39650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 23:09:44.577, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654643340_73723', total_run_time=30.17, event_count=0, result_count=0, available_count=0, scan_count=4985335, drop_count=0, exec_time=1654643345, api_et=1654639140.000000000, api_lt=1654642740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654639140.000000000, search_lt=1654642740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3033", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4901740d7cfeaa52", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=821, eliminated_buckets=413, considered_events=4985335, total_slices=1101325, decompressed_slices=232603, duration.command.search.index=2211, invocations.command.search.index.bucketcache.hit=821, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41744, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=165, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:44:21.829, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654641780_73210', total_run_time=41.46, event_count=0, result_count=0, available_count=0, scan_count=3151, drop_count=0, exec_time=1654641818, api_et=1654638180.000000000, api_lt=1654641780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654638180.000000000, search_lt=1654641820.495377000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2850", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_63f23c094643d338", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3151, total_slices=668966, decompressed_slices=1211, duration.command.search.index=1369, invocations.command.search.index.bucketcache.hit=119, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5585, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:35:21.810, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654641180_72987', total_run_time=101.10, event_count=0, result_count=0, available_count=0, scan_count=41760345, drop_count=0, exec_time=1654641205, api_et=1654637580.000000000, api_lt=1654641180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654637580.000000000, search_lt=1654641207.436654000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba634104feccb02c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2107, eliminated_buckets=137, considered_events=41760345, total_slices=13809366, decompressed_slices=4055314, duration.command.search.index=15000, invocations.command.search.index.bucketcache.hit=2101, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=241208, invocations.command.search.rawdata.bucketcache.hit=302, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:16:50.958, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654640160_72611', total_run_time=38.40, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654640171, api_et=1654635960.000000000, api_lt=1654639560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654636560.000000000, search_lt=1654640173.011295000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4276cd8d20ba1c1c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1106, eliminated_buckets=385, considered_events=1, total_slices=5358, decompressed_slices=1, duration.command.search.index=773, invocations.command.search.index.bucketcache.hit=1106, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=152, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:14:51.213, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654640040_72571', total_run_time=8.34, event_count=0, result_count=0, available_count=0, scan_count=21151, drop_count=0, exec_time=1654640063, api_et=1654636440.000000000, api_lt=1654640040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654636440.000000000, search_lt=1654640065.351992000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=292, considered_events=21428, total_slices=507699, decompressed_slices=5127, duration.command.search.index=1319, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6780, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=520, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1320, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=325, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=740, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 22:11:21.229, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654639860_72505', total_run_time=4.83, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654639865, api_et=1654636260.000000000, api_lt=1654639860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654636260.000000000, search_lt=1654639867.606062000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3744ec2c353a36c9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=62, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:09:40.273, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654639740_72459', total_run_time=22.24, event_count=0, result_count=0, available_count=0, scan_count=5274644, drop_count=0, exec_time=1654639746, api_et=1654635540.000000000, api_lt=1654639140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654635540.000000000, search_lt=1654639140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3083", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_90eb472ae32318b2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=796, eliminated_buckets=392, considered_events=5274644, total_slices=1091621, decompressed_slices=241988, duration.command.search.index=2334, invocations.command.search.index.bucketcache.hit=795, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41215, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:09:19.160, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654639620_72434', total_run_time=8.36, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654639647, api_et=1654636020.000000000, api_lt=1654639620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654636020.000000000, search_lt=1654639649.087020000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="3078", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ca6f0d43c3bf75fb", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=187, considered_events=2, total_slices=16786, decompressed_slices=2, duration.command.search.index=1299, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=383, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 22:09:18.901, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654639620_72439', total_run_time=24.67, event_count=1159, result_count=56, available_count=0, scan_count=521619, drop_count=0, exec_time=1654639680, api_et=1654636020.000000000, api_lt=1654639620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654636020.000000000, search_lt=1654639682.232818000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2862", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=187, considered_events=532558, total_slices=601768, decompressed_slices=140054, duration.command.search.index=5057, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=53123, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=414535, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=43034, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 21:44:31.029, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654638180_71942', total_run_time=38.52, event_count=0, result_count=0, available_count=0, scan_count=3561, drop_count=0, exec_time=1654638218, api_et=1654634580.000000000, api_lt=1654638180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654634580.000000000, search_lt=1654638220.740983000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2902", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_300908825c1ec305", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=3561, total_slices=655537, decompressed_slices=777, duration.command.search.index=1613, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6287, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:39:44.673, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654637580_71722', total_run_time=306.12, event_count=0, result_count=0, available_count=0, scan_count=41690757, drop_count=0, exec_time=1654637605, api_et=1654633980.000000000, api_lt=1654637580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654633980.000000000, search_lt=1654637607.403540000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3843", has_error_msg=true, fully_completed_search=false, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_94760c5bc58680f5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2253, eliminated_buckets=137, considered_events=41690757, total_slices=13715780, decompressed_slices=4061106, duration.command.search.index=17800, invocations.command.search.index.bucketcache.hit=2252, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=229831, invocations.command.search.rawdata.bucketcache.hit=296, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:16:40.263, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654636560_71354', total_run_time=13.59, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654636571, api_et=1654632360.000000000, api_lt=1654635960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632960.000000000, search_lt=1654636573.213514000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3584", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1a34da4918973db5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1106, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=974, invocations.command.search.index.bucketcache.hit=1106, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:14:38.978, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654636440_71314', total_run_time=5.30, event_count=0, result_count=0, available_count=0, scan_count=22642, drop_count=0, exec_time=1654636464, api_et=1654632840.000000000, api_lt=1654636440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632840.000000000, search_lt=1654636465.870891000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=403, eliminated_buckets=287, considered_events=23452, total_slices=396889, decompressed_slices=5627, duration.command.search.index=1362, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6741, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=63, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=523, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1340, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=318, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=797, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=23, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 21:11:39.454, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654636260_71248', total_run_time=5.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654636264, api_et=1654632660.000000000, api_lt=1654636260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632660.000000000, search_lt=1654636267.230447000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3383", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_23165d030f29b17d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:09:34.869, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654636020_71177', total_run_time=8.58, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654636047, api_et=1654632420.000000000, api_lt=1654636020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632420.000000000, search_lt=1654636048.979119000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2821", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7d819f35b9ca843f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=188, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1469, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:09:34.571, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654636140_71201', total_run_time=18.14, event_count=0, result_count=0, available_count=0, scan_count=5104125, drop_count=0, exec_time=1654636146, api_et=1654631940.000000000, api_lt=1654635540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654631940.000000000, search_lt=1654635540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3110", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a7610260cb11196b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=825, eliminated_buckets=416, considered_events=5104125, total_slices=1119929, decompressed_slices=234760, duration.command.search.index=2113, invocations.command.search.index.bucketcache.hit=825, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39650, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=221, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 21:09:34.337, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654636020_71188', total_run_time=22.28, event_count=1174, result_count=55, available_count=0, scan_count=537041, drop_count=0, exec_time=1654636085, api_et=1654632420.000000000, api_lt=1654636020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654632420.000000000, search_lt=1654636087.374440000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2916", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=404, eliminated_buckets=188, considered_events=546312, total_slices=596604, decompressed_slices=147014, duration.command.search.index=5529, invocations.command.search.index.bucketcache.hit=403, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60568, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=428220, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41766, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 21:00:27.455, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635540_70972', total_run_time=31.74, event_count=0, result_count=0, available_count=0, scan_count=31468375, drop_count=0, exec_time=1654635590, api_et=1654621140.000000000, api_lt=1654635540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621140.000000000, search_lt=1654635540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2664", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31468375, total_slices=1610015, decompressed_slices=493265, duration.command.search.index=11788, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106743, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13427486, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:59:27.248, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635480_70959', total_run_time=20.09, event_count=0, result_count=0, available_count=0, scan_count=31465100, drop_count=0, exec_time=1654635529, api_et=1654621080.000000000, api_lt=1654635480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621080.000000000, search_lt=1654635480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2760", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31465100, total_slices=1607816, decompressed_slices=493363, duration.command.search.index=10983, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78148, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13430692, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:58:27.466, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635420_70943', total_run_time=24.66, event_count=0, result_count=0, available_count=0, scan_count=31455849, drop_count=0, exec_time=1654635470, api_et=1654621020.000000000, api_lt=1654635420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621020.000000000, search_lt=1654635420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2811", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31455849, total_slices=1605688, decompressed_slices=493266, duration.command.search.index=11240, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82456, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13432542, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:57:27.341, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635360_70926', total_run_time=18.00, event_count=0, result_count=0, available_count=0, scan_count=31445367, drop_count=0, exec_time=1654635410, api_et=1654620960.000000000, api_lt=1654635360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620960.000000000, search_lt=1654635360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31445367, total_slices=1603590, decompressed_slices=493246, duration.command.search.index=11760, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77642, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13434592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:56:27.430, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635300_70915', total_run_time=23.74, event_count=0, result_count=0, available_count=0, scan_count=31434129, drop_count=0, exec_time=1654635349, api_et=1654620900.000000000, api_lt=1654635300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620900.000000000, search_lt=1654635300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31434129, total_slices=1601371, decompressed_slices=493249, duration.command.search.index=11781, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84495, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13435300, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:55:27.418, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635240_70900', total_run_time=28.82, event_count=0, result_count=0, available_count=0, scan_count=31425280, drop_count=0, exec_time=1654635290, api_et=1654620840.000000000, api_lt=1654635240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620840.000000000, search_lt=1654635240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3219", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31425280, total_slices=1599269, decompressed_slices=493167, duration.command.search.index=12076, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83676, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13437174, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:54:57.272, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635180_70883', total_run_time=48.95, event_count=0, result_count=0, available_count=0, scan_count=31416036, drop_count=0, exec_time=1654635229, api_et=1654620780.000000000, api_lt=1654635180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620780.000000000, search_lt=1654635180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3116", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31416036, total_slices=1597038, decompressed_slices=493105, duration.command.search.index=12703, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92734, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13440827, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:53:45.498, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635120_70860', total_run_time=49.43, event_count=0, result_count=0, available_count=0, scan_count=31412460, drop_count=0, exec_time=1654635169, api_et=1654620720.000000000, api_lt=1654635120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620720.000000000, search_lt=1654635120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31412460, total_slices=1621623, decompressed_slices=493028, duration.command.search.index=15849, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=152145, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13443377, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:53:14.886, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635060_70843', total_run_time=37.50, event_count=0, result_count=0, available_count=0, scan_count=31401596, drop_count=0, exec_time=1654635109, api_et=1654620660.000000000, api_lt=1654635060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620660.000000000, search_lt=1654635060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2645", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31401596, total_slices=1619487, decompressed_slices=492881, duration.command.search.index=15063, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=122622, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13444321, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:51:57.612, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654635000_70819', total_run_time=41.30, event_count=0, result_count=0, available_count=0, scan_count=31389671, drop_count=0, exec_time=1654635051, api_et=1654620600.000000000, api_lt=1654635000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620600.000000000, search_lt=1654635000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31389671, total_slices=1617403, decompressed_slices=492750, duration.command.search.index=17541, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=161803, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13447935, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:50:27.850, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634940_70783', total_run_time=24.18, event_count=0, result_count=0, available_count=0, scan_count=31382150, drop_count=0, exec_time=1654634990, api_et=1654620540.000000000, api_lt=1654634940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620540.000000000, search_lt=1654634940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2925", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31382150, total_slices=1615139, decompressed_slices=492611, duration.command.search.index=12540, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109588, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13450769, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:49:27.543, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634880_70762', total_run_time=21.80, event_count=0, result_count=0, available_count=0, scan_count=31371453, drop_count=0, exec_time=1654634930, api_et=1654620480.000000000, api_lt=1654634880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620480.000000000, search_lt=1654634880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3190", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31371453, total_slices=1612830, decompressed_slices=492540, duration.command.search.index=12629, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85915, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13452105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:48:13.901, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634820_70745', total_run_time=16.15, event_count=0, result_count=0, available_count=0, scan_count=31362273, drop_count=0, exec_time=1654634870, api_et=1654620420.000000000, api_lt=1654634820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620420.000000000, search_lt=1654634820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3499", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31362273, total_slices=1610799, decompressed_slices=492507, duration.command.search.index=10707, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77713, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13454437, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:48:11.329, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634760_70724', total_run_time=16.08, event_count=0, result_count=0, available_count=0, scan_count=31347699, drop_count=0, exec_time=1654634810, api_et=1654620360.000000000, api_lt=1654634760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620360.000000000, search_lt=1654634760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2946", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31347699, total_slices=1608810, decompressed_slices=492376, duration.command.search.index=10972, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76071, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13456376, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:46:27.730, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634700_70706', total_run_time=16.79, event_count=0, result_count=0, available_count=0, scan_count=31334752, drop_count=0, exec_time=1654634751, api_et=1654620300.000000000, api_lt=1654634700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620300.000000000, search_lt=1654634700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3537", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31334752, total_slices=1606680, decompressed_slices=492266, duration.command.search.index=10879, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81100, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13458279, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:45:27.425, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634640_70683', total_run_time=22.52, event_count=0, result_count=0, available_count=0, scan_count=31325833, drop_count=0, exec_time=1654634689, api_et=1654620240.000000000, api_lt=1654634640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620240.000000000, search_lt=1654634640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2735", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31325833, total_slices=1604461, decompressed_slices=492137, duration.command.search.index=13368, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88969, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13461321, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:44:15.804, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654634580_70660', total_run_time=23.99, event_count=0, result_count=0, available_count=0, scan_count=2924, drop_count=0, exec_time=1654634618, api_et=1654630980.000000000, api_lt=1654634580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654630980.000000000, search_lt=1654634620.630262000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_93c26365f034d69c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=2924, total_slices=775405, decompressed_slices=1006, duration.command.search.index=1210, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5028, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:44:15.650, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634580_70663', total_run_time=17.23, event_count=0, result_count=0, available_count=0, scan_count=31314657, drop_count=0, exec_time=1654634629, api_et=1654620180.000000000, api_lt=1654634580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620180.000000000, search_lt=1654634580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3161", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31314657, total_slices=1602343, decompressed_slices=492061, duration.command.search.index=10990, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75606, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13461603, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:43:52.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634460_70612', total_run_time=33.91, event_count=0, result_count=0, available_count=0, scan_count=31303455, drop_count=0, exec_time=1654634509, api_et=1654620060.000000000, api_lt=1654634460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620060.000000000, search_lt=1654634460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31303455, total_slices=1598055, decompressed_slices=491976, duration.command.search.index=13998, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106407, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13463095, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:43:52.239, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634520_70636', total_run_time=35.46, event_count=0, result_count=0, available_count=0, scan_count=31306252, drop_count=0, exec_time=1654634569, api_et=1654620120.000000000, api_lt=1654634520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620120.000000000, search_lt=1654634520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31306252, total_slices=1599681, decompressed_slices=492028, duration.command.search.index=13831, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97732, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13462467, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:41:39.298, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634400_70587', total_run_time=29.78, event_count=0, result_count=0, available_count=0, scan_count=31290701, drop_count=0, exec_time=1654634449, api_et=1654620000.000000000, api_lt=1654634400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620000.000000000, search_lt=1654634400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2854", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=1, considered_events=31290701, total_slices=1596148, decompressed_slices=491948, duration.command.search.index=12937, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96324, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13465028, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:40:39.461, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634340_70553', total_run_time=31.83, event_count=0, result_count=0, available_count=0, scan_count=31279144, drop_count=0, exec_time=1654634390, api_et=1654619940.000000000, api_lt=1654634340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619940.000000000, search_lt=1654634340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2632", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=1, considered_events=31279144, total_slices=1593907, decompressed_slices=491864, duration.command.search.index=11600, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91543, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13464895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:40:09.143, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654633980_70426', total_run_time=398.41, event_count=0, result_count=0, available_count=0, scan_count=41570488, drop_count=0, exec_time=1654634005, api_et=1654630380.000000000, api_lt=1654633980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654630380.000000000, search_lt=1654634007.377519000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4337", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d1ac57fc88effccc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2283, eliminated_buckets=137, considered_events=41570488, total_slices=13809383, decompressed_slices=4055262, duration.command.search.index=15973, invocations.command.search.index.bucketcache.hit=2283, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=266335, invocations.command.search.rawdata.bucketcache.hit=291, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:39:38.666, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634280_70537', total_run_time=20.07, event_count=0, result_count=0, available_count=0, scan_count=31278370, drop_count=0, exec_time=1654634330, api_et=1654619880.000000000, api_lt=1654634280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619880.000000000, search_lt=1654634280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31278370, total_slices=1591819, decompressed_slices=491984, duration.command.search.index=10852, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78440, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13467271, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:39:05.069, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634220_70522', total_run_time=22.15, event_count=0, result_count=0, available_count=0, scan_count=31272183, drop_count=0, exec_time=1654634269, api_et=1654619820.000000000, api_lt=1654634220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619820.000000000, search_lt=1654634220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3060", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31272183, total_slices=1616145, decompressed_slices=491873, duration.command.search.index=11462, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77206, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13468445, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:39:04.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634160_70507', total_run_time=19.48, event_count=0, result_count=0, available_count=0, scan_count=31261520, drop_count=0, exec_time=1654634210, api_et=1654619760.000000000, api_lt=1654634160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619760.000000000, search_lt=1654634160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2711", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=31261520, total_slices=1640304, decompressed_slices=491772, duration.command.search.index=11041, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76259, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13468630, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:36:35.852, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634100_70497', total_run_time=21.57, event_count=0, result_count=0, available_count=0, scan_count=31253073, drop_count=0, exec_time=1654634150, api_et=1654619700.000000000, api_lt=1654634100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619700.000000000, search_lt=1654634100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31253073, total_slices=1638094, decompressed_slices=491741, duration.command.search.index=10936, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79164, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13469371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:35:33.944, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654634040_70476', total_run_time=32.86, event_count=0, result_count=0, available_count=0, scan_count=31243818, drop_count=0, exec_time=1654634090, api_et=1654619640.000000000, api_lt=1654634040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619640.000000000, search_lt=1654634040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31243818, total_slices=1636003, decompressed_slices=491784, duration.command.search.index=11881, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84204, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13469292, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:34:34.347, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633980_70440', total_run_time=41.62, event_count=0, result_count=0, available_count=0, scan_count=31246381, drop_count=0, exec_time=1654634030, api_et=1654619580.000000000, api_lt=1654633980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619580.000000000, search_lt=1654633980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31246381, total_slices=1633808, decompressed_slices=491763, duration.command.search.index=14227, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107855, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13469968, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:34:04.926, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633920_70404', total_run_time=52.20, event_count=0, result_count=0, available_count=0, scan_count=31246911, drop_count=0, exec_time=1654633969, api_et=1654619520.000000000, api_lt=1654633920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619520.000000000, search_lt=1654633920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31246911, total_slices=1631889, decompressed_slices=491735, duration.command.search.index=15264, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=118501, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13472231, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:32:33.884, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633860_70375', total_run_time=30.66, event_count=0, result_count=0, available_count=0, scan_count=31247704, drop_count=0, exec_time=1654633909, api_et=1654619460.000000000, api_lt=1654633860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619460.000000000, search_lt=1654633860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2656", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31247704, total_slices=1629901, decompressed_slices=491686, duration.command.search.index=11452, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89377, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13475655, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:31:34.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633800_70346', total_run_time=44.30, event_count=0, result_count=0, available_count=0, scan_count=31232667, drop_count=0, exec_time=1654633849, api_et=1654619400.000000000, api_lt=1654633800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619400.000000000, search_lt=1654633800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3388", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31232667, total_slices=1627441, decompressed_slices=491637, duration.command.search.index=15854, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127569, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13476509, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:31:04.386, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633740_70305', total_run_time=46.68, event_count=0, result_count=0, available_count=0, scan_count=31231425, drop_count=0, exec_time=1654633789, api_et=1654619340.000000000, api_lt=1654633740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619340.000000000, search_lt=1654633740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31231425, total_slices=1625438, decompressed_slices=491683, duration.command.search.index=11815, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96692, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479912, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:29:34.127, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633680_70292', total_run_time=24.04, event_count=0, result_count=0, available_count=0, scan_count=31229476, drop_count=0, exec_time=1654633730, api_et=1654619280.000000000, api_lt=1654633680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619280.000000000, search_lt=1654633680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31229476, total_slices=1623614, decompressed_slices=491686, duration.command.search.index=11378, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83192, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13482716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:28:34.158, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633620_70277', total_run_time=21.93, event_count=0, result_count=0, available_count=0, scan_count=31220474, drop_count=0, exec_time=1654633669, api_et=1654619220.000000000, api_lt=1654633620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619220.000000000, search_lt=1654633620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31220474, total_slices=1621444, decompressed_slices=491608, duration.command.search.index=10801, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82528, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483489, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:27:34.183, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633560_70259', total_run_time=21.70, event_count=0, result_count=0, available_count=0, scan_count=31208776, drop_count=0, exec_time=1654633609, api_et=1654619160.000000000, api_lt=1654633560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619160.000000000, search_lt=1654633560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31208776, total_slices=1619422, decompressed_slices=491499, duration.command.search.index=11166, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80453, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484810, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:26:34.053, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633500_70243', total_run_time=24.31, event_count=0, result_count=0, available_count=0, scan_count=31198028, drop_count=0, exec_time=1654633549, api_et=1654619100.000000000, api_lt=1654633500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619100.000000000, search_lt=1654633500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2818", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=31198028, total_slices=1617252, decompressed_slices=491449, duration.command.search.index=11128, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83056, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:25:34.100, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633440_70229', total_run_time=35.88, event_count=0, result_count=0, available_count=0, scan_count=31189035, drop_count=0, exec_time=1654633489, api_et=1654619040.000000000, api_lt=1654633440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619040.000000000, search_lt=1654633440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2688", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31189035, total_slices=1667702, decompressed_slices=491371, duration.command.search.index=12619, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92593, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483504, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:24:33.979, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633380_70211', total_run_time=36.40, event_count=0, result_count=0, available_count=0, scan_count=31183660, drop_count=0, exec_time=1654633429, api_et=1654618980.000000000, api_lt=1654633380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618980.000000000, search_lt=1654633380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2763", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31183660, total_slices=1665473, decompressed_slices=491359, duration.command.search.index=11817, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85058, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483973, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:24:04.232, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633320_70179', total_run_time=47.60, event_count=0, result_count=0, available_count=0, scan_count=31177547, drop_count=0, exec_time=1654633369, api_et=1654618920.000000000, api_lt=1654633320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618920.000000000, search_lt=1654633320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3114", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31177547, total_slices=1663514, decompressed_slices=491397, duration.command.search.index=12277, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91571, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484638, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:23:01.805, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633260_70163', total_run_time=48.90, event_count=0, result_count=0, available_count=0, scan_count=31172194, drop_count=0, exec_time=1654633309, api_et=1654618860.000000000, api_lt=1654633260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618860.000000000, search_lt=1654633260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31172194, total_slices=1661439, decompressed_slices=491316, duration.command.search.index=13453, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96358, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484610, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:21:07.287, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633140_70099', total_run_time=61.47, event_count=0, result_count=0, available_count=0, scan_count=31145984, drop_count=0, exec_time=1654633190, api_et=1654618740.000000000, api_lt=1654633140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618740.000000000, search_lt=1654633140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2971", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31145984, total_slices=1657394, decompressed_slices=490981, duration.command.search.index=13430, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113482, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484211, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:20:04.151, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633080_70074', total_run_time=48.52, event_count=0, result_count=0, available_count=0, scan_count=31136833, drop_count=0, exec_time=1654633130, api_et=1654618680.000000000, api_lt=1654633080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618680.000000000, search_lt=1654633080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3047", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31136833, total_slices=1655047, decompressed_slices=490871, duration.command.search.index=13694, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105510, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483674, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:19:05.380, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654633020_70053', total_run_time=49.50, event_count=0, result_count=0, available_count=0, scan_count=31128115, drop_count=0, exec_time=1654633070, api_et=1654618620.000000000, api_lt=1654633020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618620.000000000, search_lt=1654633020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3281", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31128115, total_slices=1652815, decompressed_slices=490763, duration.command.search.index=13498, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98308, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13484559, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:18:06.175, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632960_70030', total_run_time=52.84, event_count=0, result_count=0, available_count=0, scan_count=31116816, drop_count=0, exec_time=1654633010, api_et=1654618560.000000000, api_lt=1654632960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618560.000000000, search_lt=1654632960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3210", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=1, considered_events=31116816, total_slices=1650707, decompressed_slices=490640, duration.command.search.index=13920, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101633, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13483248, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:17:05.306, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632900_70013', total_run_time=47.42, event_count=0, result_count=0, available_count=0, scan_count=31105365, drop_count=0, exec_time=1654632950, api_et=1654618500.000000000, api_lt=1654632900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618500.000000000, search_lt=1654632900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3207", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31105365, total_slices=1648752, decompressed_slices=490564, duration.command.search.index=13113, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96903, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13482371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:16:33.982, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654632960_70024', total_run_time=10.67, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654632973, api_et=1654628760.000000000, api_lt=1654632360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654629360.000000000, search_lt=1654632975.122354000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_0c0679b1826ff0e0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1118, eliminated_buckets=385, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=908, invocations.command.search.index.bucketcache.hit=1117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:16:03.922, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632840_69994', total_run_time=47.40, event_count=0, result_count=0, available_count=0, scan_count=31087893, drop_count=0, exec_time=1654632889, api_et=1654618440.000000000, api_lt=1654632840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618440.000000000, search_lt=1654632840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31087893, total_slices=1646458, decompressed_slices=490430, duration.command.search.index=11326, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87525, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479423, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:15:04.048, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654632840_69980', total_run_time=12.89, event_count=0, result_count=0, available_count=0, scan_count=15918, drop_count=0, exec_time=1654632863, api_et=1654629240.000000000, api_lt=1654632840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654629240.000000000, search_lt=1654632865.086942000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2901", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=288, considered_events=16014, total_slices=359679, decompressed_slices=4534, duration.command.search.index=1443, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6600, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=80, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=466, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1241, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=294, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=426, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 20:14:34.062, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632780_69970', total_run_time=42.20, event_count=0, result_count=0, available_count=0, scan_count=31077701, drop_count=0, exec_time=1654632829, api_et=1654618380.000000000, api_lt=1654632780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618380.000000000, search_lt=1654632780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2593", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=31077701, total_slices=1697085, decompressed_slices=490444, duration.command.search.index=11160, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84650, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479991, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:14:03.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632720_69944', total_run_time=46.89, event_count=0, result_count=0, available_count=0, scan_count=31068121, drop_count=0, exec_time=1654632769, api_et=1654618320.000000000, api_lt=1654632720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618320.000000000, search_lt=1654632720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2860", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=31068121, total_slices=1695099, decompressed_slices=490471, duration.command.search.index=12357, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97485, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13481180, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:13:04.380, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632660_69926', total_run_time=50.70, event_count=0, result_count=0, available_count=0, scan_count=31056846, drop_count=0, exec_time=1654632709, api_et=1654618260.000000000, api_lt=1654632660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618260.000000000, search_lt=1654632660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3176", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=31056846, total_slices=1692988, decompressed_slices=490348, duration.command.search.index=11875, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91227, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13481514, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:11:33.932, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654632660_69909', total_run_time=5.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654632665, api_et=1654629060.000000000, api_lt=1654632660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654629060.000000000, search_lt=1654632667.175445000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2805", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_99258e98ed148869", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=62, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=32, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:10:50.246, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632540_69870', total_run_time=59.15, event_count=0, result_count=0, available_count=0, scan_count=31024946, drop_count=0, exec_time=1654632589, api_et=1654618140.000000000, api_lt=1654632540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618140.000000000, search_lt=1654632540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2869", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=147, eliminated_buckets=0, considered_events=31024946, total_slices=1688689, decompressed_slices=490125, duration.command.search.index=13049, invocations.command.search.index.bucketcache.hit=147, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104192, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479441, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:10:21.397, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632420_69798', total_run_time=52.27, event_count=0, result_count=0, available_count=0, scan_count=31003368, drop_count=0, exec_time=1654632470, api_et=1654618020.000000000, api_lt=1654632420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618020.000000000, search_lt=1654632420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2887", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31003368, total_slices=1684439, decompressed_slices=489970, duration.command.search.index=12807, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104262, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479814, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:10:21.292, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654632540_69846', total_run_time=24.17, event_count=1, result_count=1, available_count=0, scan_count=5124504, drop_count=0, exec_time=1654632546, api_et=1654628340.000000000, api_lt=1654631940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654628340.000000000, search_lt=1654631940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3112", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7a65a397b84e3a5f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=825, eliminated_buckets=424, considered_events=5124504, total_slices=1098548, decompressed_slices=236626, duration.command.search.index=2219, invocations.command.search.index.bucketcache.hit=824, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39140, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:10:20.826, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654632420_69784', total_run_time=12.81, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654632446, api_et=1654628820.000000000, api_lt=1654632420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654628820.000000000, search_lt=1654632448.309499000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2895", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_14bfb06453bc5d63", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=190, considered_events=1, total_slices=7190, decompressed_slices=1, duration.command.search.index=1214, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=188, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 20:10:20.719, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654632420_69803', total_run_time=26.10, event_count=1197, result_count=57, available_count=0, scan_count=553763, drop_count=0, exec_time=1654632480, api_et=1654628820.000000000, api_lt=1654632420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654628820.000000000, search_lt=1654632482.624728000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2959", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=190, considered_events=564454, total_slices=644749, decompressed_slices=139738, duration.command.search.index=5077, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=46319, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=7, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=442627, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=44232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 20:10:20.268, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632360_69769', total_run_time=49.87, event_count=0, result_count=0, available_count=0, scan_count=30992748, drop_count=0, exec_time=1654632411, api_et=1654617960.000000000, api_lt=1654632360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654617960.000000000, search_lt=1654632360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3097", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30992748, total_slices=1682441, decompressed_slices=489942, duration.command.search.index=12645, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99994, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13480891, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:10:20.235, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632480_69824', total_run_time=44.22, event_count=0, result_count=0, available_count=0, scan_count=31014131, drop_count=0, exec_time=1654632529, api_et=1654618080.000000000, api_lt=1654632480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618080.000000000, search_lt=1654632480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=146, eliminated_buckets=0, considered_events=31014131, total_slices=1686518, decompressed_slices=490078, duration.command.search.index=12336, invocations.command.search.index.bucketcache.hit=146, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93581, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479159, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:06:13.554, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632240_69728', total_run_time=61.25, event_count=0, result_count=0, available_count=0, scan_count=30966543, drop_count=0, exec_time=1654632290, api_et=1654617840.000000000, api_lt=1654632240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654617840.000000000, search_lt=1654632240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2865", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30966543, total_slices=1704188, decompressed_slices=489879, duration.command.search.index=17795, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=133759, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13481166, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:04:13.913, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632120_69643', total_run_time=72.71, event_count=0, result_count=0, available_count=0, scan_count=30939550, drop_count=0, exec_time=1654632169, api_et=1654617720.000000000, api_lt=1654632120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654617720.000000000, search_lt=1654632120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30939550, total_slices=1699605, decompressed_slices=489596, duration.command.search.index=19403, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=178375, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13479267, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 20:02:13.838, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654632000_69584', total_run_time=67.84, event_count=0, result_count=0, available_count=0, scan_count=30905648, drop_count=0, exec_time=1654632050, api_et=1654617600.000000000, api_lt=1654632000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654617600.000000000, search_lt=1654632000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=0, considered_events=30905648, total_slices=1695344, decompressed_slices=489231, duration.command.search.index=19140, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=196357, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=13473151, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 19:45:02.390, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654630980_69272', total_run_time=46.70, event_count=0, result_count=0, available_count=0, scan_count=3833, drop_count=0, exec_time=1654631018, api_et=1654627380.000000000, api_lt=1654630980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654627380.000000000, search_lt=1654631020.693345000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1cdcbf70e240cbfe", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=3833, total_slices=863874, decompressed_slices=1168, duration.command.search.index=2074, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6212, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 19:36:09.871, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654630380_69054', total_run_time=158.15, event_count=0, result_count=0, available_count=0, scan_count=41533826, drop_count=0, exec_time=1654630405, api_et=1654626780.000000000, api_lt=1654630380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654626780.000000000, search_lt=1654630407.278246000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3267", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b374c454ee2f6125", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2283, eliminated_buckets=137, considered_events=41533826, total_slices=13669383, decompressed_slices=4078323, duration.command.search.index=14876, invocations.command.search.index.bucketcache.hit=2283, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=225924, invocations.command.search.rawdata.bucketcache.hit=286, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 19:16:40.060, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654629360_68690', total_run_time=9.22, event_count=0, result_count=0, available_count=0, scan_count=9, drop_count=0, exec_time=1654629371, api_et=1654625160.000000000, api_lt=1654628760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654625760.000000000, search_lt=1654629373.373584000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3882", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e0945be065ea8bd9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1110, eliminated_buckets=386, considered_events=9, total_slices=17093, decompressed_slices=4, duration.command.search.index=895, invocations.command.search.index.bucketcache.hit=1110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=180, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 19:14:39.732, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654629240_68650', total_run_time=10.00, event_count=0, result_count=0, available_count=0, scan_count=15190, drop_count=0, exec_time=1654629263, api_et=1654625640.000000000, api_lt=1654629240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654625640.000000000, search_lt=1654629265.262824000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2901", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=288, considered_events=15224, total_slices=534395, decompressed_slices=4834, duration.command.search.index=1760, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7240, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=541, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1500, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=349, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=11, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=387, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=10, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 19:11:40.001, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654629060_68584', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654629065, api_et=1654625460.000000000, api_lt=1654629060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654625460.000000000, search_lt=1654629067.098533000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2872", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_87a75c6b6bbf6832", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=38, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 19:09:39.805, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654628940_68540', total_run_time=19.91, event_count=0, result_count=0, available_count=0, scan_count=4813092, drop_count=0, exec_time=1654628946, api_et=1654624740.000000000, api_lt=1654628340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654624740.000000000, search_lt=1654628340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a9e096da168ae046", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=818, eliminated_buckets=414, considered_events=4813092, total_slices=1098249, decompressed_slices=230801, duration.command.search.index=2120, invocations.command.search.index.bucketcache.hit=814, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38725, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=243, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 19:08:34.045, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654628820_68522', total_run_time=23.81, event_count=1255, result_count=58, available_count=0, scan_count=562428, drop_count=0, exec_time=1654628880, api_et=1654625220.000000000, api_lt=1654628820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654625220.000000000, search_lt=1654628882.390453000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3117", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=207, considered_events=571300, total_slices=643302, decompressed_slices=158283, duration.command.search.index=5887, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49577, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=8, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=443391, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42668, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 19:08:17.974, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654628820_68517', total_run_time=7.90, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654628846, api_et=1654625220.000000000, api_lt=1654628820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654625220.000000000, search_lt=1654628848.101321000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_197176c390db986e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=207, considered_events=1, total_slices=3117, decompressed_slices=1, duration.command.search.index=1309, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=139, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:52:21.321, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654627380_68020', total_run_time=59.08, event_count=0, result_count=0, available_count=0, scan_count=3587, drop_count=0, exec_time=1654627419, api_et=1654623780.000000000, api_lt=1654627380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654623780.000000000, search_lt=1654627421.119697000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3074", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7d45607f4157c044", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=124, eliminated_buckets=0, considered_events=3587, total_slices=1092023, decompressed_slices=1453, duration.command.search.index=1946, invocations.command.search.index.bucketcache.hit=124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6192, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:36:29.171, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654626780_67798', total_run_time=60.23, event_count=0, result_count=0, available_count=0, scan_count=41331431, drop_count=0, exec_time=1654626805, api_et=1654623180.000000000, api_lt=1654626780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654623180.000000000, search_lt=1654626807.807445000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4015", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72f85a346c327ac8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2312, eliminated_buckets=137, considered_events=41331431, total_slices=13605518, decompressed_slices=4013396, duration.command.search.index=15715, invocations.command.search.index.bucketcache.hit=2310, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=266319, invocations.command.search.rawdata.bucketcache.hit=287, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:21:25.179, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654625760_67421', total_run_time=16.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654625771, api_et=1654621560.000000000, api_lt=1654625160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654622160.000000000, search_lt=1654625773.684479000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3740", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a8fb8801cfbc85dc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1111, eliminated_buckets=389, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2127, invocations.command.search.index.bucketcache.hit=1111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:14:52.449, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654625640_67381', total_run_time=5.18, event_count=0, result_count=0, available_count=0, scan_count=22317, drop_count=0, exec_time=1654625663, api_et=1654622040.000000000, api_lt=1654625640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654622040.000000000, search_lt=1654625665.169933000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2861", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=289, considered_events=24064, total_slices=972606, decompressed_slices=4995, duration.command.search.index=1288, invocations.command.search.index.bucketcache.hit=426, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6328, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=384, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1030, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=248, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=260, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 18:11:12.415, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654625460_67314', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654625464, api_et=1654621860.000000000, api_lt=1654625460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621860.000000000, search_lt=1654625466.711720000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2930", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3126a48a32938b60", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=33, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:10:50.866, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654625220_67248', total_run_time=19.79, event_count=869, result_count=59, available_count=0, scan_count=324804, drop_count=0, exec_time=1654625280, api_et=1654621620.000000000, api_lt=1654625220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621620.000000000, search_lt=1654625282.808629000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3249", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=426, eliminated_buckets=210, considered_events=330945, total_slices=491913, decompressed_slices=106159, duration.command.search.index=3652, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=32409, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=256177, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=22177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 18:10:50.328, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654625220_67243', total_run_time=5.23, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654625246, api_et=1654621620.000000000, api_lt=1654625220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621620.000000000, search_lt=1654625248.395856000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2893", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e3cc086cfca11555", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=427, eliminated_buckets=210, considered_events=2, total_slices=28355, decompressed_slices=2, duration.command.search.index=835, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=264, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 18:10:47.436, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654625340_67268', total_run_time=20.80, event_count=0, result_count=0, available_count=0, scan_count=4885147, drop_count=0, exec_time=1654625345, api_et=1654621140.000000000, api_lt=1654624740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654621140.000000000, search_lt=1654624740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3366", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a8943c282fa3d29d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=793, eliminated_buckets=394, considered_events=4885147, total_slices=1122906, decompressed_slices=225572, duration.command.search.index=2060, invocations.command.search.index.bucketcache.hit=792, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36388, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:44:29.869, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654623780_66752', total_run_time=39.29, event_count=0, result_count=0, available_count=0, scan_count=3275, drop_count=0, exec_time=1654623818, api_et=1654620180.000000000, api_lt=1654623780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654620180.000000000, search_lt=1654623820.816956000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3079", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_93ba2de8f2b6704a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=122, eliminated_buckets=1, considered_events=3275, total_slices=1160363, decompressed_slices=1282, duration.command.search.index=1623, invocations.command.search.index.bucketcache.hit=122, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6179, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:35:40.327, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654623180_66535', total_run_time=131.52, event_count=0, result_count=0, available_count=0, scan_count=41250630, drop_count=0, exec_time=1654623205, api_et=1654619580.000000000, api_lt=1654623180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654619580.000000000, search_lt=1654623207.377932000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3367", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7ce970c10b9588ed", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2332, eliminated_buckets=137, considered_events=41250630, total_slices=13582009, decompressed_slices=4022446, duration.command.search.index=19900, invocations.command.search.index.bucketcache.hit=2326, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=269096, invocations.command.search.rawdata.bucketcache.hit=270, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:16:25.005, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654622160_66173', total_run_time=9.54, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654622171, api_et=1654617960.000000000, api_lt=1654621560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618560.000000000, search_lt=1654622173.768368000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4021", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5ca60fac8e117b70", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1109, eliminated_buckets=388, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=926, invocations.command.search.index.bucketcache.hit=1109, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:14:55.177, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654622040_66132', total_run_time=6.38, event_count=0, result_count=0, available_count=0, scan_count=14566, drop_count=0, exec_time=1654622063, api_et=1654618440.000000000, api_lt=1654622040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618440.000000000, search_lt=1654622065.210203000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2894", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=444, eliminated_buckets=315, considered_events=14566, total_slices=831268, decompressed_slices=4404, duration.command.search.index=1418, invocations.command.search.index.bucketcache.hit=444, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6764, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=41, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=290, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=828, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=192, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=374, sourcetype_count__crowdstrike:falcon:fdr:SevenZipFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 17:11:13.766, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654621860_66066', total_run_time=4.55, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654621864, api_et=1654618260.000000000, api_lt=1654621860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618260.000000000, search_lt=1654621865.730544000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2294", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_24c4942c0a76e40c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=34, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:10:53.925, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654621740_66022', total_run_time=19.20, event_count=0, result_count=0, available_count=0, scan_count=4714173, drop_count=0, exec_time=1654621745, api_et=1654617540.000000000, api_lt=1654621140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654617540.000000000, search_lt=1654621140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3153", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a0f9ff369b731ec3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=811, eliminated_buckets=406, considered_events=4714173, total_slices=1164911, decompressed_slices=223072, duration.command.search.index=2148, invocations.command.search.index.bucketcache.hit=808, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38418, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=82, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:10:52.619, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654621620_66004', total_run_time=23.62, event_count=1792, result_count=58, available_count=0, scan_count=417333, drop_count=0, exec_time=1654621680, api_et=1654618020.000000000, api_lt=1654621620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618020.000000000, search_lt=1654621682.439276000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2993", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=442, eliminated_buckets=200, considered_events=422305, total_slices=838294, decompressed_slices=194490, duration.command.search.index=5512, invocations.command.search.index.bucketcache.hit=442, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56274, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=343552, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=27440, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 17:07:47.390, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654621620_65998', total_run_time=9.99, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654621646, api_et=1654618020.000000000, api_lt=1654621620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654618020.000000000, search_lt=1654621648.031122000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2786", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_48f7c438ce1b3d2e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=442, eliminated_buckets=200, considered_events=2, total_slices=7759, decompressed_slices=2, duration.command.search.index=1250, invocations.command.search.index.bucketcache.hit=442, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=294, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 17:04:49.977, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620660_65664', total_run_time=33.65, event_count=0, result_count=0, available_count=0, scan_count=25743993, drop_count=0, exec_time=1654620710, api_et=1654606260.000000000, api_lt=1654620660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606260.000000000, search_lt=1654620660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2652", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25743993, total_slices=1707982, decompressed_slices=423407, duration.command.search.index=11059, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86002, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12519446, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:49.901, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654621140_65797', total_run_time=54.20, event_count=0, result_count=0, available_count=0, scan_count=25991137, drop_count=0, exec_time=1654621191, api_et=1654606740.000000000, api_lt=1654621140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606740.000000000, search_lt=1654621140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25991137, total_slices=1724490, decompressed_slices=426155, duration.command.search.index=10661, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103252, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12570333, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:49.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654621020_65768', total_run_time=36.46, event_count=0, result_count=0, available_count=0, scan_count=25928593, drop_count=0, exec_time=1654621070, api_et=1654606620.000000000, api_lt=1654621020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606620.000000000, search_lt=1654621020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25928593, total_slices=1720247, decompressed_slices=425453, duration.command.search.index=10315, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80727, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12558494, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:48.493, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620780_65705', total_run_time=36.30, event_count=0, result_count=0, available_count=0, scan_count=25808425, drop_count=0, exec_time=1654620829, api_et=1654606380.000000000, api_lt=1654620780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606380.000000000, search_lt=1654620780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3216", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25808425, total_slices=1712113, decompressed_slices=424122, duration.command.search.index=10357, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84651, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12532800, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:48.117, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620960_65749', total_run_time=30.12, event_count=0, result_count=0, available_count=0, scan_count=25896332, drop_count=0, exec_time=1654621009, api_et=1654606560.000000000, api_lt=1654620960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606560.000000000, search_lt=1654620960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2719", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25896332, total_slices=1718212, decompressed_slices=425078, duration.command.search.index=10250, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77998, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12552107, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:47.365, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620900_65738', total_run_time=37.80, event_count=0, result_count=0, available_count=0, scan_count=25866488, drop_count=0, exec_time=1654620950, api_et=1654606500.000000000, api_lt=1654620900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606500.000000000, search_lt=1654620900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25866488, total_slices=1716078, decompressed_slices=424759, duration.command.search.index=10010, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81112, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12545706, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:46.945, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620720_65681', total_run_time=39.34, event_count=0, result_count=0, available_count=0, scan_count=25773996, drop_count=0, exec_time=1654620769, api_et=1654606320.000000000, api_lt=1654620720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606320.000000000, search_lt=1654620720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2612", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25773996, total_slices=1709931, decompressed_slices=423772, duration.command.search.index=12038, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107794, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12525794, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:46.738, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654621080_65784', total_run_time=28.24, event_count=0, result_count=0, available_count=0, scan_count=25957556, drop_count=0, exec_time=1654621129, api_et=1654606680.000000000, api_lt=1654621080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606680.000000000, search_lt=1654621080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2904", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25957556, total_slices=1722423, decompressed_slices=425832, duration.command.search.index=10919, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78453, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12563475, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 17:04:46.237, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620840_65722', total_run_time=30.94, event_count=0, result_count=0, available_count=0, scan_count=25834847, drop_count=0, exec_time=1654620890, api_et=1654606440.000000000, api_lt=1654620840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606440.000000000, search_lt=1654620840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3110", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=25834847, total_slices=1714097, decompressed_slices=424401, duration.command.search.index=11615, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86089, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12539076, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:51:34.467, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620600_65639', total_run_time=42.56, event_count=0, result_count=0, available_count=0, scan_count=25714704, drop_count=0, exec_time=1654620650, api_et=1654606200.000000000, api_lt=1654620600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606200.000000000, search_lt=1654620600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3200", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25714704, total_slices=1705628, decompressed_slices=423169, duration.command.search.index=12330, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102887, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12511301, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:54.201, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619940_65369', total_run_time=41.14, event_count=0, result_count=0, available_count=0, scan_count=25379504, drop_count=0, exec_time=1654619990, api_et=1654605540.000000000, api_lt=1654619940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605540.000000000, search_lt=1654619940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25379504, total_slices=1683644, decompressed_slices=419391, duration.command.search.index=10881, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90559, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12436473, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:53.806, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654620180_65477', total_run_time=46.10, event_count=0, result_count=0, available_count=0, scan_count=4309, drop_count=0, exec_time=1654620217, api_et=1654616580.000000000, api_lt=1654620180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654616580.000000000, search_lt=1654620219.502625000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2331", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9eb82e41aa8e4c2d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=121, eliminated_buckets=1, considered_events=4309, total_slices=1038576, decompressed_slices=1227, duration.command.search.index=1420, invocations.command.search.index.bucketcache.hit=121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5851, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:50:53.678, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620120_65452', total_run_time=36.82, event_count=0, result_count=0, available_count=0, scan_count=25479868, drop_count=0, exec_time=1654620170, api_et=1654605720.000000000, api_lt=1654620120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605720.000000000, search_lt=1654620120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2939", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25479868, total_slices=1689708, decompressed_slices=420668, duration.command.search.index=10665, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86718, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12458996, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:53.344, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620060_65429', total_run_time=41.89, event_count=0, result_count=0, available_count=0, scan_count=25442615, drop_count=0, exec_time=1654620110, api_et=1654605660.000000000, api_lt=1654620060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605660.000000000, search_lt=1654620060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2743", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25442615, total_slices=1687838, decompressed_slices=420141, duration.command.search.index=9945, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85865, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12452195, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:53.213, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620180_65480', total_run_time=37.97, event_count=0, result_count=0, available_count=0, scan_count=25508979, drop_count=0, exec_time=1654620230, api_et=1654605780.000000000, api_lt=1654620180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605780.000000000, search_lt=1654620180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3281", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=1, considered_events=25508979, total_slices=1691813, decompressed_slices=420849, duration.command.search.index=10614, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81991, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12462754, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:52.428, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620540_65603', total_run_time=45.61, event_count=0, result_count=0, available_count=0, scan_count=25684762, drop_count=0, exec_time=1654620590, api_et=1654606140.000000000, api_lt=1654620540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606140.000000000, search_lt=1654620540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3020", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25684762, total_slices=1703841, decompressed_slices=422869, duration.command.search.index=10972, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86333, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12505535, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:48.050, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620480_65580', total_run_time=37.71, event_count=0, result_count=0, available_count=0, scan_count=25656049, drop_count=0, exec_time=1654620530, api_et=1654606080.000000000, api_lt=1654620480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606080.000000000, search_lt=1654620480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3084", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25656049, total_slices=1701886, decompressed_slices=422538, duration.command.search.index=10560, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81358, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12499508, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:48.047, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620420_65563', total_run_time=34.45, event_count=0, result_count=0, available_count=0, scan_count=25625148, drop_count=0, exec_time=1654620471, api_et=1654606020.000000000, api_lt=1654620420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606020.000000000, search_lt=1654620420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="4069", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25625148, total_slices=1699822, decompressed_slices=422108, duration.command.search.index=9668, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79890, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12491949, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:46.223, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620240_65501', total_run_time=28.14, event_count=0, result_count=0, available_count=0, scan_count=25537749, drop_count=0, exec_time=1654620290, api_et=1654605840.000000000, api_lt=1654620240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605840.000000000, search_lt=1654620240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=2, considered_events=25537749, total_slices=1693852, decompressed_slices=421208, duration.command.search.index=9941, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77012, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12467992, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:45.988, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620000_65404', total_run_time=42.37, event_count=0, result_count=0, available_count=0, scan_count=25413351, drop_count=0, exec_time=1654620050, api_et=1654605600.000000000, api_lt=1654620000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605600.000000000, search_lt=1654620000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25413351, total_slices=1685948, decompressed_slices=419716, duration.command.search.index=11614, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90683, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12445027, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:45.902, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620360_65541', total_run_time=26.38, event_count=0, result_count=0, available_count=0, scan_count=25598607, drop_count=0, exec_time=1654620411, api_et=1654605960.000000000, api_lt=1654620360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605960.000000000, search_lt=1654620360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25598607, total_slices=1697799, decompressed_slices=421783, duration.command.search.index=9697, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76493, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12485116, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:50:45.877, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654620300_65523', total_run_time=29.09, event_count=0, result_count=0, available_count=0, scan_count=25569737, drop_count=0, exec_time=1654620351, api_et=1654605900.000000000, api_lt=1654620300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605900.000000000, search_lt=1654620300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3202", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=1, considered_events=25569737, total_slices=1695698, decompressed_slices=421509, duration.command.search.index=9601, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80033, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12476925, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:39:28.806, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619880_65353', total_run_time=31.85, event_count=0, result_count=0, available_count=0, scan_count=25340859, drop_count=0, exec_time=1654619929, api_et=1654605480.000000000, api_lt=1654619880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605480.000000000, search_lt=1654619880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25340859, total_slices=1681576, decompressed_slices=418990, duration.command.search.index=10263, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81942, invocations.command.search.rawdata.bucketcache.hit=18, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12425671, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:38:29.171, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619820_65339', total_run_time=34.17, event_count=0, result_count=0, available_count=0, scan_count=25305745, drop_count=0, exec_time=1654619870, api_et=1654605420.000000000, api_lt=1654619820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605420.000000000, search_lt=1654619820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25305745, total_slices=1679454, decompressed_slices=418679, duration.command.search.index=10102, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82893, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12418505, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:37:20.972, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619640_65293', total_run_time=41.87, event_count=0, result_count=0, available_count=0, scan_count=25202058, drop_count=0, exec_time=1654619689, api_et=1654605240.000000000, api_lt=1654619640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605240.000000000, search_lt=1654619640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2917", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25202058, total_slices=1673610, decompressed_slices=417692, duration.command.search.index=10946, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86326, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12388703, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:37:19.808, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619760_65324', total_run_time=27.06, event_count=0, result_count=0, available_count=0, scan_count=25271637, drop_count=0, exec_time=1654619810, api_et=1654605360.000000000, api_lt=1654619760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605360.000000000, search_lt=1654619760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2880", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25271637, total_slices=1677499, decompressed_slices=418350, duration.command.search.index=10240, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73137, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12409403, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:37:19.678, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619700_65314', total_run_time=37.87, event_count=0, result_count=0, available_count=0, scan_count=25237367, drop_count=0, exec_time=1654619749, api_et=1654605300.000000000, api_lt=1654619700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605300.000000000, search_lt=1654619700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2705", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25237367, total_slices=1675622, decompressed_slices=418065, duration.command.search.index=10397, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83320, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12398840, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:34:26.969, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654619580_65244', total_run_time=50.13, event_count=0, result_count=0, available_count=0, scan_count=41334913, drop_count=0, exec_time=1654619605, api_et=1654615980.000000000, api_lt=1654619580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654615980.000000000, search_lt=1654619607.708113000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d86600728543f711", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2378, eliminated_buckets=131, considered_events=41334913, total_slices=13932710, decompressed_slices=4012517, duration.command.search.index=15270, invocations.command.search.index.bucketcache.hit=2378, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=246583, invocations.command.search.rawdata.bucketcache.hit=304, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:33:56.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619520_65222', total_run_time=60.76, event_count=0, result_count=0, available_count=0, scan_count=25139467, drop_count=0, exec_time=1654619570, api_et=1654605120.000000000, api_lt=1654619520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605120.000000000, search_lt=1654619520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3231", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=25139467, total_slices=1669595, decompressed_slices=417069, duration.command.search.index=14670, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109510, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12372867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:31:55.951, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619400_65165', total_run_time=60.51, event_count=0, result_count=0, available_count=0, scan_count=25070028, drop_count=0, exec_time=1654619450, api_et=1654605000.000000000, api_lt=1654619400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605000.000000000, search_lt=1654619400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2961", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=25070028, total_slices=1665402, decompressed_slices=416278, duration.command.search.index=14408, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=115578, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12352163, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:48.292, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619340_65123', total_run_time=48.06, event_count=0, result_count=0, available_count=0, scan_count=25035436, drop_count=0, exec_time=1654619389, api_et=1654604940.000000000, api_lt=1654619340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604940.000000000, search_lt=1654619340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=25035436, total_slices=1663388, decompressed_slices=416023, duration.command.search.index=9823, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87801, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12340998, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:33.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619100_65060', total_run_time=33.98, event_count=0, result_count=0, available_count=0, scan_count=24912543, drop_count=0, exec_time=1654619150, api_et=1654604700.000000000, api_lt=1654619100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604700.000000000, search_lt=1654619100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2785", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24912543, total_slices=1655288, decompressed_slices=414720, duration.command.search.index=10025, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82559, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12311030, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:32.615, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619160_65076', total_run_time=29.16, event_count=0, result_count=0, available_count=0, scan_count=24945794, drop_count=0, exec_time=1654619209, api_et=1654604760.000000000, api_lt=1654619160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604760.000000000, search_lt=1654619160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24945794, total_slices=1657249, decompressed_slices=414966, duration.command.search.index=10094, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77632, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12318357, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:31.188, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619040_65036', total_run_time=38.31, event_count=0, result_count=0, available_count=0, scan_count=24882531, drop_count=0, exec_time=1654619090, api_et=1654604640.000000000, api_lt=1654619040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604640.000000000, search_lt=1654619040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2931", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24882531, total_slices=1653207, decompressed_slices=414366, duration.command.search.index=10690, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=85000, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12304886, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:30.269, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619220_65095', total_run_time=31.32, event_count=0, result_count=0, available_count=0, scan_count=24969484, drop_count=0, exec_time=1654619269, api_et=1654604820.000000000, api_lt=1654619220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604820.000000000, search_lt=1654619220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=24969484, total_slices=1657973, decompressed_slices=415224, duration.command.search.index=10747, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83710, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12317862, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:30:30.118, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654619280_65109', total_run_time=31.91, event_count=0, result_count=0, available_count=0, scan_count=25004640, drop_count=0, exec_time=1654619329, api_et=1654604880.000000000, api_lt=1654619280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604880.000000000, search_lt=1654619280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2677", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=25004640, total_slices=1661237, decompressed_slices=415740, duration.command.search.index=10088, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79534, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12330730, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:24:44.274, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618980_65017', total_run_time=39.69, event_count=0, result_count=0, available_count=0, scan_count=24852771, drop_count=0, exec_time=1654619029, api_et=1654604580.000000000, api_lt=1654618980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604580.000000000, search_lt=1654618980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24852771, total_slices=1651221, decompressed_slices=414146, duration.command.search.index=10910, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81066, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12298315, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:24:24.952, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618860_64968', total_run_time=33.70, event_count=0, result_count=0, available_count=0, scan_count=24784074, drop_count=0, exec_time=1654618909, api_et=1654604460.000000000, api_lt=1654618860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604460.000000000, search_lt=1654618860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24784074, total_slices=1647167, decompressed_slices=413409, duration.command.search.index=10752, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80379, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12285561, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:24:24.499, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618800_64939', total_run_time=45.32, event_count=0, result_count=0, available_count=0, scan_count=24749864, drop_count=0, exec_time=1654618850, api_et=1654604400.000000000, api_lt=1654618800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604400.000000000, search_lt=1654618800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3167", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24749864, total_slices=1645081, decompressed_slices=412926, duration.command.search.index=11495, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95025, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12276614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:24:22.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618920_64985', total_run_time=34.64, event_count=0, result_count=0, available_count=0, scan_count=24818513, drop_count=0, exec_time=1654618969, api_et=1654604520.000000000, api_lt=1654618920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604520.000000000, search_lt=1654618920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3160", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24818513, total_slices=1649175, decompressed_slices=413720, duration.command.search.index=10619, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84962, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12292498, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:24:22.229, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654618800_64945', total_run_time=49.42, event_count=12276614, result_count=15, available_count=0, scan_count=24749849, drop_count=0, exec_time=1654618862, api_et=1654604400.000000000, api_lt=1654618800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604400.000000000, search_lt=1654618800.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="3132", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24749849, total_slices=1645602, decompressed_slices=412930, duration.command.search.index=11482, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93201, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12276614, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:20:53.859, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618740_64900', total_run_time=46.75, event_count=0, result_count=0, available_count=0, scan_count=24717370, drop_count=0, exec_time=1654618790, api_et=1654604340.000000000, api_lt=1654618740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604340.000000000, search_lt=1654618740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3129", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=24717370, total_slices=1643121, decompressed_slices=412568, duration.command.search.index=11506, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105120, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12268961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:19:49.326, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618680_64875', total_run_time=40.54, event_count=0, result_count=0, available_count=0, scan_count=24684546, drop_count=0, exec_time=1654618730, api_et=1654604280.000000000, api_lt=1654618680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604280.000000000, search_lt=1654618680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3059", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=24684546, total_slices=1641191, decompressed_slices=412201, duration.command.search.index=12553, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=98377, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12261823, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:19:17.200, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654618560_64825', total_run_time=11.23, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654618570, api_et=1654614360.000000000, api_lt=1654617960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654614960.000000000, search_lt=1654618572.554003000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_7b81ca26b03341c7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1105, eliminated_buckets=387, considered_events=1, total_slices=13337, decompressed_slices=1, duration.command.search.index=939, invocations.command.search.index.bucketcache.hit=1105, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=147, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:19:16.642, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618500_64814', total_run_time=32.18, event_count=0, result_count=0, available_count=0, scan_count=24594635, drop_count=0, exec_time=1654618550, api_et=1654604100.000000000, api_lt=1654618500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604100.000000000, search_lt=1654618500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3161", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=24594635, total_slices=1635290, decompressed_slices=411118, duration.command.search.index=11636, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91417, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12241186, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:19:15.187, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618620_64855', total_run_time=35.34, event_count=0, result_count=0, available_count=0, scan_count=24652114, drop_count=0, exec_time=1654618670, api_et=1654604220.000000000, api_lt=1654618620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604220.000000000, search_lt=1654618620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=1, considered_events=24652114, total_slices=1639226, decompressed_slices=411849, duration.command.search.index=11362, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93036, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12255324, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:19:15.051, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618560_64831', total_run_time=36.83, event_count=0, result_count=0, available_count=0, scan_count=24622538, drop_count=0, exec_time=1654618610, api_et=1654604160.000000000, api_lt=1654618560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604160.000000000, search_lt=1654618560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3210", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=24622538, total_slices=1637261, decompressed_slices=411474, duration.command.search.index=11384, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93008, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12248361, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:15:43.402, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618440_64795', total_run_time=30.30, event_count=0, result_count=0, available_count=0, scan_count=24567226, drop_count=0, exec_time=1654618489, api_et=1654604040.000000000, api_lt=1654618440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604040.000000000, search_lt=1654618440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2627", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=24567226, total_slices=1633164, decompressed_slices=410919, duration.command.search.index=10105, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77000, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12234619, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:14:43.497, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654618440_64782', total_run_time=8.78, event_count=0, result_count=0, available_count=0, scan_count=17466, drop_count=0, exec_time=1654618463, api_et=1654614840.000000000, api_lt=1654618440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654614840.000000000, search_lt=1654618465.539391000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3227", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=424, eliminated_buckets=297, considered_events=17564, total_slices=597317, decompressed_slices=5155, duration.command.search.index=1539, invocations.command.search.index.bucketcache.hit=424, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7399, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=81, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=623, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1633, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=390, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=10, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=513, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=17, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 16:14:43.197, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618380_64772', total_run_time=31.65, event_count=0, result_count=0, available_count=0, scan_count=24538552, drop_count=0, exec_time=1654618429, api_et=1654603980.000000000, api_lt=1654618380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603980.000000000, search_lt=1654618380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24538552, total_slices=1631092, decompressed_slices=410592, duration.command.search.index=9993, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=78838, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12227540, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:13:43.214, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618320_64745', total_run_time=44.04, event_count=0, result_count=0, available_count=0, scan_count=24508357, drop_count=0, exec_time=1654618370, api_et=1654603920.000000000, api_lt=1654618320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603920.000000000, search_lt=1654618320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24508357, total_slices=1629234, decompressed_slices=410384, duration.command.search.index=10785, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90773, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12220526, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:12:43.131, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618260_64727', total_run_time=43.33, event_count=0, result_count=0, available_count=0, scan_count=24476619, drop_count=0, exec_time=1654618310, api_et=1654603860.000000000, api_lt=1654618260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603860.000000000, search_lt=1654618260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3292", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24476619, total_slices=1627294, decompressed_slices=409952, duration.command.search.index=10054, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88193, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12213680, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:11:43.497, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618200_64700', total_run_time=47.38, event_count=0, result_count=0, available_count=0, scan_count=24446585, drop_count=0, exec_time=1654618249, api_et=1654603800.000000000, api_lt=1654618200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603800.000000000, search_lt=1654618200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3399", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24446585, total_slices=1625362, decompressed_slices=409495, duration.command.search.index=11764, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93045, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12205176, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:11:13.216, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654618260_64710', total_run_time=4.14, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654618265, api_et=1654614660.000000000, api_lt=1654618260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654614660.000000000, search_lt=1654618267.723207000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2967", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_27d23a81fc95b96a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=50, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:10:43.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618140_64670', total_run_time=43.48, event_count=0, result_count=0, available_count=0, scan_count=24417932, drop_count=0, exec_time=1654618190, api_et=1654603740.000000000, api_lt=1654618140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603740.000000000, search_lt=1654618140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24417932, total_slices=1623207, decompressed_slices=409143, duration.command.search.index=10957, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91578, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12199146, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:09:43.584, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654618140_64662', total_run_time=21.34, event_count=1, result_count=1, available_count=0, scan_count=4976399, drop_count=0, exec_time=1654618145, api_et=1654613940.000000000, api_lt=1654617540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654613940.000000000, search_lt=1654617540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3240", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6db7d9995cc736fd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=790, eliminated_buckets=383, considered_events=4976399, total_slices=1203975, decompressed_slices=230986, duration.command.search.index=2163, invocations.command.search.index.bucketcache.hit=787, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39499, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=103, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:09:43.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618080_64654', total_run_time=32.84, event_count=0, result_count=0, available_count=0, scan_count=24390683, drop_count=0, exec_time=1654618130, api_et=1654603680.000000000, api_lt=1654618080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603680.000000000, search_lt=1654618080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24390683, total_slices=1621192, decompressed_slices=408801, duration.command.search.index=10530, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84213, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12191284, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:08:43.651, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654618020_64638', total_run_time=39.59, event_count=0, result_count=0, available_count=0, scan_count=24357047, drop_count=0, exec_time=1654618070, api_et=1654603620.000000000, api_lt=1654618020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603620.000000000, search_lt=1654618020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2701", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24357047, total_slices=1619211, decompressed_slices=408347, duration.command.search.index=11905, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109659, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12183960, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:08:43.566, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654618020_64641', total_run_time=24.56, event_count=1189, result_count=58, available_count=0, scan_count=572805, drop_count=0, exec_time=1654618080, api_et=1654614420.000000000, api_lt=1654618020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654614420.000000000, search_lt=1654618082.611248000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2902", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=199, considered_events=577946, total_slices=764718, decompressed_slices=142499, duration.command.search.index=5681, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51428, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=450569, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=41143, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 16:07:43.433, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617960_64617', total_run_time=35.70, event_count=0, result_count=0, available_count=0, scan_count=24321899, drop_count=0, exec_time=1654618010, api_et=1654603560.000000000, api_lt=1654617960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603560.000000000, search_lt=1654617960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2873", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24321899, total_slices=1617103, decompressed_slices=407851, duration.command.search.index=11278, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97077, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12174610, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:07:43.232, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654618020_64633', total_run_time=9.81, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654618046, api_et=1654614420.000000000, api_lt=1654618020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654614420.000000000, search_lt=1654618048.300359000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2907", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_45f8fe30daac831a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=420, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1348, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 16:06:43.192, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617900_64603', total_run_time=34.96, event_count=0, result_count=0, available_count=0, scan_count=24290012, drop_count=0, exec_time=1654617951, api_et=1654603500.000000000, api_lt=1654617900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603500.000000000, search_lt=1654617900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3296", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24290012, total_slices=1615094, decompressed_slices=407502, duration.command.search.index=11074, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89774, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12166998, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:05:43.509, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617840_64585', total_run_time=41.20, event_count=0, result_count=0, available_count=0, scan_count=24257381, drop_count=0, exec_time=1654617889, api_et=1654603440.000000000, api_lt=1654617840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603440.000000000, search_lt=1654617840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2908", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=126, eliminated_buckets=0, considered_events=24257381, total_slices=1612977, decompressed_slices=407084, duration.command.search.index=12827, invocations.command.search.index.bucketcache.hit=126, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107597, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12158397, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:04:43.301, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617780_64544', total_run_time=46.93, event_count=0, result_count=0, available_count=0, scan_count=24229644, drop_count=0, exec_time=1654617830, api_et=1654603380.000000000, api_lt=1654617780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603380.000000000, search_lt=1654617780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=24229644, total_slices=1610961, decompressed_slices=406763, duration.command.search.index=14757, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=158759, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12151312, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:03:43.286, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617720_64499', total_run_time=51.64, event_count=0, result_count=0, available_count=0, scan_count=24201425, drop_count=0, exec_time=1654617770, api_et=1654603320.000000000, api_lt=1654617720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603320.000000000, search_lt=1654617720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=24201425, total_slices=1609036, decompressed_slices=406331, duration.command.search.index=13752, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=122651, invocations.command.search.rawdata.bucketcache.hit=13, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12146481, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:02:32.089, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617660_64468', total_run_time=41.49, event_count=0, result_count=0, available_count=0, scan_count=24166810, drop_count=0, exec_time=1654617710, api_et=1654603260.000000000, api_lt=1654617660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603260.000000000, search_lt=1654617660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2715", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=24166810, total_slices=1606943, decompressed_slices=405915, duration.command.search.index=12749, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104532, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12140864, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 16:02:00.538, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654617600_64437', total_run_time=49.00, event_count=0, result_count=0, available_count=0, scan_count=24134226, drop_count=0, exec_time=1654617649, api_et=1654603200.000000000, api_lt=1654617600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603200.000000000, search_lt=1654617600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2823", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=125, eliminated_buckets=0, considered_events=24134226, total_slices=1604706, decompressed_slices=405477, duration.command.search.index=13499, invocations.command.search.index.bucketcache.hit=125, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=124592, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12134837, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 15:45:48.549, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654616580_64127', total_run_time=46.85, event_count=0, result_count=0, available_count=0, scan_count=3566, drop_count=0, exec_time=1654616618, api_et=1654612980.000000000, api_lt=1654616580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654612980.000000000, search_lt=1654616620.424449000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3105", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8e0556ae68d532da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=116, eliminated_buckets=0, considered_events=3566, total_slices=1200864, decompressed_slices=1074, duration.command.search.index=1484, invocations.command.search.index.bucketcache.hit=116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5753, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 15:34:10.228, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654615980_63910', total_run_time=42.43, event_count=0, result_count=0, available_count=0, scan_count=41276053, drop_count=0, exec_time=1654616007, api_et=1654612380.000000000, api_lt=1654615980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654612380.000000000, search_lt=1654616009.240815000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4181", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_414ca91149ef9393", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2336, eliminated_buckets=131, considered_events=41276053, total_slices=13704488, decompressed_slices=4010861, duration.command.search.index=17483, invocations.command.search.index.bucketcache.hit=2332, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=227329, invocations.command.search.rawdata.bucketcache.hit=260, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 15:16:30.363, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654614960_63542', total_run_time=14.02, event_count=0, result_count=0, available_count=0, scan_count=32, drop_count=0, exec_time=1654614971, api_et=1654610760.000000000, api_lt=1654614360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654611360.000000000, search_lt=1654614972.991474000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3565", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b9b96ab3d06bcd33", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1115, eliminated_buckets=389, considered_events=32, total_slices=17914, decompressed_slices=5, duration.command.search.index=1489, invocations.command.search.index.bucketcache.hit=1115, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=322, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 15:15:00.093, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654614840_63502', total_run_time=7.57, event_count=0, result_count=0, available_count=0, scan_count=21457, drop_count=0, exec_time=1654614864, api_et=1654611240.000000000, api_lt=1654614840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654611240.000000000, search_lt=1654614865.770895000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2801", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=284, considered_events=22097, total_slices=464723, decompressed_slices=5115, duration.command.search.index=1483, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6828, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=93, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=467, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1232, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=286, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=6, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=491, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=14, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 15:11:29.881, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654614660_63437', total_run_time=4.86, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654614665, api_et=1654611060.000000000, api_lt=1654614660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654611060.000000000, search_lt=1654614667.419516000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2906", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2c853ba2ced4ea81", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=48, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 15:09:30.134, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654614540_63390', total_run_time=20.95, event_count=0, result_count=0, available_count=0, scan_count=5107533, drop_count=0, exec_time=1654614546, api_et=1654610340.000000000, api_lt=1654613940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654610340.000000000, search_lt=1654613940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3229", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1771ea8dad6dde07", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=791, eliminated_buckets=386, considered_events=5107533, total_slices=1251592, decompressed_slices=239454, duration.command.search.index=2222, invocations.command.search.index.bucketcache.hit=785, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39750, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=102, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 15:08:59.983, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654614420_63374', total_run_time=27.35, event_count=1207, result_count=56, available_count=0, scan_count=542391, drop_count=0, exec_time=1654614484, api_et=1654610820.000000000, api_lt=1654614420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654610820.000000000, search_lt=1654614486.668106000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2896", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=199, considered_events=546584, total_slices=661633, decompressed_slices=136821, duration.command.search.index=5426, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=51780, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=1, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=428307, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=42075, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 15:08:00.091, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654614420_63364', total_run_time=9.24, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654614447, api_et=1654610820.000000000, api_lt=1654614420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654610820.000000000, search_lt=1654614448.722454000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_680729493a2e92d2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=199, considered_events=1, total_slices=9684, decompressed_slices=0, duration.command.search.index=1202, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=127, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:44:04.403, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654612980_62866', total_run_time=21.12, event_count=0, result_count=0, available_count=0, scan_count=2729, drop_count=0, exec_time=1654613018, api_et=1654609380.000000000, api_lt=1654612980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654609380.000000000, search_lt=1654613020.511999000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2825", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d51e4ca60f04a5a9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=116, eliminated_buckets=0, considered_events=2729, total_slices=1222811, decompressed_slices=778, duration.command.search.index=1210, invocations.command.search.index.bucketcache.hit=116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4960, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:34:17.380, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654612380_62644', total_run_time=44.16, event_count=0, result_count=0, available_count=0, scan_count=41359437, drop_count=0, exec_time=1654612405, api_et=1654608780.000000000, api_lt=1654612380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654608780.000000000, search_lt=1654612407.726734000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3787", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_50671aa5a2086f0c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2366, eliminated_buckets=131, considered_events=41359437, total_slices=14025137, decompressed_slices=4009626, duration.command.search.index=15318, invocations.command.search.index.bucketcache.hit=2365, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=255097, invocations.command.search.rawdata.bucketcache.hit=290, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:20:14.821, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654611360_62272', total_run_time=40.78, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654611371, api_et=1654607160.000000000, api_lt=1654610760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654607760.000000000, search_lt=1654611373.060789000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ea2b8c6be031dc14", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1116, eliminated_buckets=395, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=4744, invocations.command.search.index.bucketcache.hit=1116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:14:34.376, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654611240_62232', total_run_time=5.32, event_count=0, result_count=0, available_count=0, scan_count=15000, drop_count=0, exec_time=1654611263, api_et=1654607640.000000000, api_lt=1654611240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654607640.000000000, search_lt=1654611265.119319000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2879", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=412, eliminated_buckets=283, considered_events=15143, total_slices=367474, decompressed_slices=4128, duration.command.search.index=1183, invocations.command.search.index.bucketcache.hit=412, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5826, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=65, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=332, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=1051, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=217, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=360, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=24, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 14:11:18.615, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654611060_62166', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654611064, api_et=1654607460.000000000, api_lt=1654611060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654607460.000000000, search_lt=1654611066.358320000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2943", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3ad56525722d1aec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=57, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:09:34.415, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654610940_62122', total_run_time=17.49, event_count=1, result_count=1, available_count=0, scan_count=4963634, drop_count=0, exec_time=1654610946, api_et=1654606740.000000000, api_lt=1654610340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654606740.000000000, search_lt=1654610340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3328", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b956d75853df519f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=802, eliminated_buckets=405, considered_events=4963634, total_slices=1223425, decompressed_slices=232301, duration.command.search.index=2036, invocations.command.search.index.bucketcache.hit=801, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37271, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=114, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 14:08:34.788, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654610820_62103', total_run_time=24.30, event_count=1875, result_count=98, available_count=0, scan_count=552206, drop_count=0, exec_time=1654610880, api_et=1654607220.000000000, api_lt=1654610820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654607220.000000000, search_lt=1654610882.643879000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=200, considered_events=558373, total_slices=526617, decompressed_slices=138659, duration.command.search.index=4524, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=42929, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=442312, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=49173, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 14:07:34.462, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654610820_62098', total_run_time=6.82, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654610846, api_et=1654607220.000000000, api_lt=1654610820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654607220.000000000, search_lt=1654610848.462579000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ec4c458f44ba0970", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=200, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1072, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:44:20.187, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654609380_61599', total_run_time=36.07, event_count=0, result_count=0, available_count=0, scan_count=2980, drop_count=0, exec_time=1654609418, api_et=1654605780.000000000, api_lt=1654609380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605780.000000000, search_lt=1654609420.195469000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2905", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2c10f7fd60e4a174", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=2980, total_slices=1223211, decompressed_slices=542, duration.command.search.index=1505, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5889, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:34:28.855, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654608780_61374', total_run_time=38.71, event_count=0, result_count=0, available_count=0, scan_count=41003508, drop_count=0, exec_time=1654608805, api_et=1654605180.000000000, api_lt=1654608780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654605180.000000000, search_lt=1654608807.367174000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3821", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8e52b21e898402da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2350, eliminated_buckets=131, considered_events=41003508, total_slices=13746969, decompressed_slices=3948833, duration.command.search.index=14219, invocations.command.search.index.bucketcache.hit=2346, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222406, invocations.command.search.rawdata.bucketcache.hit=261, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:19:13.848, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654607760_61010', total_run_time=8.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654607771, api_et=1654603560.000000000, api_lt=1654607160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604160.000000000, search_lt=1654607772.942469000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_91a803f20433e55c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1116, eliminated_buckets=397, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=739, invocations.command.search.index.bucketcache.hit=1116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:14:33.294, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654607640_60970', total_run_time=8.54, event_count=0, result_count=0, available_count=0, scan_count=10612, drop_count=0, exec_time=1654607663, api_et=1654604040.000000000, api_lt=1654607640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654604040.000000000, search_lt=1654607665.679981000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2875", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=285, considered_events=10637, total_slices=316971, decompressed_slices=2870, duration.command.search.index=1139, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6294, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=47, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=183, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=724, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=119, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=308, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 13:11:26.642, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654607460_60904', total_run_time=5.49, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654607465, api_et=1654603860.000000000, api_lt=1654607460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603860.000000000, search_lt=1654607467.540280000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3448", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_206e00de9b9e0675", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=61, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:09:33.383, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654607340_60860', total_run_time=22.50, event_count=0, result_count=0, available_count=0, scan_count=4879101, drop_count=0, exec_time=1654607345, api_et=1654603140.000000000, api_lt=1654606740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603140.000000000, search_lt=1654606740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3193", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9b0812f3dc8d75ec", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=791, eliminated_buckets=385, considered_events=4879101, total_slices=1230332, decompressed_slices=229172, duration.command.search.index=2111, invocations.command.search.index.bucketcache.hit=783, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37201, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=117, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:08:33.305, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654607220_60842', total_run_time=27.61, event_count=1682, result_count=93, available_count=0, scan_count=450919, drop_count=0, exec_time=1654607280, api_et=1654603620.000000000, api_lt=1654607220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603620.000000000, search_lt=1654607282.368919000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2836", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=206, considered_events=458226, total_slices=434721, decompressed_slices=110709, duration.command.search.index=4423, invocations.command.search.index.bucketcache.hit=420, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38726, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=363052, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=40341, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 13:08:02.777, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654607220_60837', total_run_time=9.26, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654607246, api_et=1654603620.000000000, api_lt=1654607220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654603620.000000000, search_lt=1654607248.531894000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2957", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8a656e64e9a78a38", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=204, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1033, invocations.command.search.index.bucketcache.hit=418, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 13:00:34.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606740_60635', total_run_time=24.17, event_count=0, result_count=0, available_count=0, scan_count=21829696, drop_count=0, exec_time=1654606790, api_et=1654592340.000000000, api_lt=1654606740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592340.000000000, search_lt=1654606740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3075", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21829696, total_slices=1294071, decompressed_slices=365179, duration.command.search.index=8349, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67548, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11700591, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:59:34.263, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606680_60622', total_run_time=20.56, event_count=0, result_count=0, available_count=0, scan_count=21828361, drop_count=0, exec_time=1654606729, api_et=1654592280.000000000, api_lt=1654606680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592280.000000000, search_lt=1654606680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3068", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21828361, total_slices=1292348, decompressed_slices=364984, duration.command.search.index=8529, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61243, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11699372, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:58:34.338, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606620_60606', total_run_time=26.89, event_count=0, result_count=0, available_count=0, scan_count=21826951, drop_count=0, exec_time=1654606670, api_et=1654592220.000000000, api_lt=1654606620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592220.000000000, search_lt=1654606620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3056", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21826951, total_slices=1290533, decompressed_slices=364908, duration.command.search.index=8840, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69207, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11699154, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:57:34.603, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606560_60588', total_run_time=21.73, event_count=0, result_count=0, available_count=0, scan_count=21831650, drop_count=0, exec_time=1654606609, api_et=1654592160.000000000, api_lt=1654606560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592160.000000000, search_lt=1654606560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2689", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21831650, total_slices=1288939, decompressed_slices=364818, duration.command.search.index=8673, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61393, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11701483, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:56:34.486, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606500_60577', total_run_time=22.31, event_count=0, result_count=0, available_count=0, scan_count=21833694, drop_count=0, exec_time=1654606550, api_et=1654592100.000000000, api_lt=1654606500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592100.000000000, search_lt=1654606500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2618", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21833694, total_slices=1287153, decompressed_slices=364702, duration.command.search.index=8939, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61493, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11703331, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:55:34.302, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606440_60560', total_run_time=25.07, event_count=0, result_count=0, available_count=0, scan_count=21835646, drop_count=0, exec_time=1654606490, api_et=1654592040.000000000, api_lt=1654606440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592040.000000000, search_lt=1654606440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2613", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21835646, total_slices=1285389, decompressed_slices=364570, duration.command.search.index=8845, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60974, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704009, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:54:34.202, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606380_60543', total_run_time=27.87, event_count=0, result_count=0, available_count=0, scan_count=21835236, drop_count=0, exec_time=1654606430, api_et=1654591980.000000000, api_lt=1654606380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591980.000000000, search_lt=1654606380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3094", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21835236, total_slices=1283825, decompressed_slices=364586, duration.command.search.index=8813, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65205, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704006, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:53:23.851, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606320_60518', total_run_time=28.54, event_count=0, result_count=0, available_count=0, scan_count=21837112, drop_count=0, exec_time=1654606369, api_et=1654591920.000000000, api_lt=1654606320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591920.000000000, search_lt=1654606320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2621", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21837112, total_slices=1281996, decompressed_slices=364568, duration.command.search.index=9566, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69285, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11703835, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:53:03.596, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606200_60477', total_run_time=29.60, event_count=0, result_count=0, available_count=0, scan_count=21838664, drop_count=0, exec_time=1654606250, api_et=1654591800.000000000, api_lt=1654606200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591800.000000000, search_lt=1654606200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3054", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21838664, total_slices=1278714, decompressed_slices=364358, duration.command.search.index=9428, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70582, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704731, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:53:03.306, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606260_60500', total_run_time=19.50, event_count=0, result_count=0, available_count=0, scan_count=21838807, drop_count=0, exec_time=1654606309, api_et=1654591860.000000000, api_lt=1654606260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591860.000000000, search_lt=1654606260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2709", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21838807, total_slices=1280346, decompressed_slices=364430, duration.command.search.index=9183, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65863, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704092, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:50:36.965, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606140_60440', total_run_time=29.72, event_count=0, result_count=0, available_count=0, scan_count=21837489, drop_count=0, exec_time=1654606191, api_et=1654591740.000000000, api_lt=1654606140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591740.000000000, search_lt=1654606140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3076", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21837489, total_slices=1277134, decompressed_slices=364283, duration.command.search.index=8693, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69806, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702563, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:49:35.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606080_60419', total_run_time=24.34, event_count=0, result_count=0, available_count=0, scan_count=21838960, drop_count=0, exec_time=1654606130, api_et=1654591680.000000000, api_lt=1654606080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591680.000000000, search_lt=1654606080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3050", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21838960, total_slices=1275398, decompressed_slices=364372, duration.command.search.index=8502, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64923, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702579, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:48:24.999, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605900_60363', total_run_time=19.00, event_count=0, result_count=0, available_count=0, scan_count=21840017, drop_count=0, exec_time=1654605950, api_et=1654591500.000000000, api_lt=1654605900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591500.000000000, search_lt=1654605900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21840017, total_slices=1270489, decompressed_slices=364244, duration.command.search.index=8337, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61977, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11703233, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:48:23.637, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605960_60381', total_run_time=19.95, event_count=0, result_count=0, available_count=0, scan_count=21840571, drop_count=0, exec_time=1654606010, api_et=1654591560.000000000, api_lt=1654605960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591560.000000000, search_lt=1654605960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2951", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21840571, total_slices=1272139, decompressed_slices=364328, duration.command.search.index=8097, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58873, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11703269, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:48:21.721, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654606020_60402', total_run_time=18.83, event_count=0, result_count=0, available_count=0, scan_count=21840031, drop_count=0, exec_time=1654606070, api_et=1654591620.000000000, api_lt=1654606020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591620.000000000, search_lt=1654606020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3088", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21840031, total_slices=1273807, decompressed_slices=364358, duration.command.search.index=8462, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59227, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702761, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:45:39.027, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605840_60340', total_run_time=23.24, event_count=0, result_count=0, available_count=0, scan_count=21841313, drop_count=0, exec_time=1654605889, api_et=1654591440.000000000, api_lt=1654605840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591440.000000000, search_lt=1654605840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2761", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21841313, total_slices=1268750, decompressed_slices=364171, duration.command.search.index=8711, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60010, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704317, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:44:38.419, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605780_60319', total_run_time=18.78, event_count=0, result_count=0, available_count=0, scan_count=21843618, drop_count=0, exec_time=1654605829, api_et=1654591380.000000000, api_lt=1654605780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591380.000000000, search_lt=1654605780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3276", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21843618, total_slices=1267164, decompressed_slices=364144, duration.command.search.index=8254, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59636, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702961, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:44:08.260, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654605780_60316', total_run_time=29.61, event_count=0, result_count=0, available_count=0, scan_count=2586, drop_count=0, exec_time=1654605818, api_et=1654602180.000000000, api_lt=1654605780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654602180.000000000, search_lt=1654605820.365513000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2852", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dc2d8ba5d6b50d1b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=109, eliminated_buckets=0, considered_events=2586, total_slices=1033467, decompressed_slices=721, duration.command.search.index=1142, invocations.command.search.index.bucketcache.hit=109, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5120, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:43:38.400, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605720_60292', total_run_time=22.14, event_count=0, result_count=0, available_count=0, scan_count=21845536, drop_count=0, exec_time=1654605770, api_et=1654591320.000000000, api_lt=1654605720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591320.000000000, search_lt=1654605720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2683", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21845536, total_slices=1265381, decompressed_slices=364034, duration.command.search.index=8948, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65098, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11702600, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:42:38.350, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605660_60269', total_run_time=19.70, event_count=0, result_count=0, available_count=0, scan_count=21847056, drop_count=0, exec_time=1654605710, api_et=1654591260.000000000, api_lt=1654605660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591260.000000000, search_lt=1654605660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21847056, total_slices=1263814, decompressed_slices=364085, duration.command.search.index=9660, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61226, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11703892, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:41:38.573, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605600_60244', total_run_time=26.01, event_count=0, result_count=0, available_count=0, scan_count=21848719, drop_count=0, exec_time=1654605650, api_et=1654591200.000000000, api_lt=1654605600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591200.000000000, search_lt=1654605600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2598", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21848719, total_slices=1262121, decompressed_slices=364009, duration.command.search.index=9708, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71424, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11704658, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:40:29.025, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605540_60209', total_run_time=22.16, event_count=0, result_count=0, available_count=0, scan_count=21853574, drop_count=0, exec_time=1654605589, api_et=1654591140.000000000, api_lt=1654605540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591140.000000000, search_lt=1654605540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2722", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21853574, total_slices=1260370, decompressed_slices=363955, duration.command.search.index=8697, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65520, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11707767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:40:10.409, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605300_60152', total_run_time=20.99, event_count=0, result_count=0, available_count=0, scan_count=21875886, drop_count=0, exec_time=1654605350, api_et=1654590900.000000000, api_lt=1654605300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590900.000000000, search_lt=1654605300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2636", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21875886, total_slices=1253757, decompressed_slices=363973, duration.command.search.index=8590, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63637, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11720452, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:40:10.025, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605420_60177', total_run_time=18.56, event_count=0, result_count=0, available_count=0, scan_count=21865679, drop_count=0, exec_time=1654605470, api_et=1654591020.000000000, api_lt=1654605420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591020.000000000, search_lt=1654605420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21865679, total_slices=1257101, decompressed_slices=363950, duration.command.search.index=8295, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60295, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11713592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:40:09.815, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605360_60162', total_run_time=18.78, event_count=0, result_count=0, available_count=0, scan_count=21871954, drop_count=0, exec_time=1654605410, api_et=1654590960.000000000, api_lt=1654605360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590960.000000000, search_lt=1654605360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21871954, total_slices=1255492, decompressed_slices=363963, duration.command.search.index=8674, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60399, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11717388, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:40:08.615, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605480_60193', total_run_time=17.05, event_count=0, result_count=0, available_count=0, scan_count=21858725, drop_count=0, exec_time=1654605530, api_et=1654591080.000000000, api_lt=1654605480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591080.000000000, search_lt=1654605480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2720", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21858725, total_slices=1258781, decompressed_slices=363964, duration.command.search.index=8771, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61469, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11711123, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:35:42.259, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605240_60130', total_run_time=29.02, event_count=0, result_count=0, available_count=0, scan_count=21882200, drop_count=0, exec_time=1654605289, api_et=1654590840.000000000, api_lt=1654605240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590840.000000000, search_lt=1654605240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2824", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21882200, total_slices=1252292, decompressed_slices=364014, duration.command.search.index=9688, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71496, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11723917, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:34:42.185, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605180_60095', total_run_time=32.94, event_count=0, result_count=0, available_count=0, scan_count=21884059, drop_count=0, exec_time=1654605229, api_et=1654590780.000000000, api_lt=1654605180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590780.000000000, search_lt=1654605180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2822", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21884059, total_slices=1250309, decompressed_slices=364041, duration.command.search.index=10591, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81953, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11724590, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:34:12.334, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654605180_60081', total_run_time=35.36, event_count=0, result_count=0, available_count=0, scan_count=41157597, drop_count=0, exec_time=1654605205, api_et=1654601580.000000000, api_lt=1654605180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654601580.000000000, search_lt=1654605207.291325000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_c2abe925c7988b8f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2398, eliminated_buckets=131, considered_events=41157597, total_slices=13861652, decompressed_slices=3956963, duration.command.search.index=16080, invocations.command.search.index.bucketcache.hit=2397, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222817, invocations.command.search.rawdata.bucketcache.hit=284, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:33:33.682, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605120_60059', total_run_time=35.97, event_count=0, result_count=0, available_count=0, scan_count=21891836, drop_count=0, exec_time=1654605169, api_et=1654590720.000000000, api_lt=1654605120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590720.000000000, search_lt=1654605120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2726", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21891836, total_slices=1248934, decompressed_slices=364041, duration.command.search.index=12072, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=105454, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11726724, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:33:17.178, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605000_60001', total_run_time=42.05, event_count=0, result_count=0, available_count=0, scan_count=21901626, drop_count=0, exec_time=1654605050, api_et=1654590600.000000000, api_lt=1654605000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590600.000000000, search_lt=1654605000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21901626, total_slices=1245515, decompressed_slices=363989, duration.command.search.index=13946, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=123212, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11731208, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:33:16.650, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654605060_60029', total_run_time=30.93, event_count=0, result_count=0, available_count=0, scan_count=21895088, drop_count=0, exec_time=1654605110, api_et=1654590660.000000000, api_lt=1654605060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590660.000000000, search_lt=1654605060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3366", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21895088, total_slices=1247188, decompressed_slices=364106, duration.command.search.index=11103, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=90948, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728455, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:30:41.016, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604940_59959', total_run_time=25.74, event_count=0, result_count=0, available_count=0, scan_count=21908362, drop_count=0, exec_time=1654604990, api_et=1654590540.000000000, api_lt=1654604940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590540.000000000, search_lt=1654604940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2657", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21908362, total_slices=1243782, decompressed_slices=363882, duration.command.search.index=8883, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67984, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11733850, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:29:16.438, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604880_59946', total_run_time=22.13, event_count=0, result_count=0, available_count=0, scan_count=21909678, drop_count=0, exec_time=1654604929, api_et=1654590480.000000000, api_lt=1654604880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590480.000000000, search_lt=1654604880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2834", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21909678, total_slices=1242032, decompressed_slices=363871, duration.command.search.index=9319, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64135, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11734020, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:29:16.391, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604760_59912', total_run_time=18.89, event_count=0, result_count=0, available_count=0, scan_count=21913295, drop_count=0, exec_time=1654604809, api_et=1654590360.000000000, api_lt=1654604760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590360.000000000, search_lt=1654604760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21913295, total_slices=1238657, decompressed_slices=363780, duration.command.search.index=9212, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62488, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11732716, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:29:15.419, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604820_59931', total_run_time=20.97, event_count=0, result_count=0, available_count=0, scan_count=21912210, drop_count=0, exec_time=1654604869, api_et=1654590420.000000000, api_lt=1654604820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590420.000000000, search_lt=1654604820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912210, total_slices=1240424, decompressed_slices=363857, duration.command.search.index=8702, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64742, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11733550, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:29:14.863, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604700_59896', total_run_time=21.87, event_count=0, result_count=0, available_count=0, scan_count=21911694, drop_count=0, exec_time=1654604749, api_et=1654590300.000000000, api_lt=1654604700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590300.000000000, search_lt=1654604700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2639", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21911694, total_slices=1237061, decompressed_slices=363720, duration.command.search.index=8838, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64716, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11732186, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:25:37.924, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604640_59882', total_run_time=24.98, event_count=0, result_count=0, available_count=0, scan_count=21912137, drop_count=0, exec_time=1654604689, api_et=1654590240.000000000, api_lt=1654604640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590240.000000000, search_lt=1654604640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2754", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912137, total_slices=1235303, decompressed_slices=363629, duration.command.search.index=9414, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67763, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11730452, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:24:28.654, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604580_59863', total_run_time=18.51, event_count=0, result_count=0, available_count=0, scan_count=21908616, drop_count=0, exec_time=1654604629, api_et=1654590180.000000000, api_lt=1654604580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590180.000000000, search_lt=1654604580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21908616, total_slices=1233635, decompressed_slices=363440, duration.command.search.index=9225, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63237, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11728733, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:24:10.137, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604520_59831', total_run_time=27.07, event_count=0, result_count=0, available_count=0, scan_count=21910037, drop_count=0, exec_time=1654604569, api_et=1654590120.000000000, api_lt=1654604520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590120.000000000, search_lt=1654604520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3324", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21910037, total_slices=1231444, decompressed_slices=363442, duration.command.search.index=10786, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84008, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727645, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:24:09.746, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604460_59815', total_run_time=25.66, event_count=0, result_count=0, available_count=0, scan_count=21910834, drop_count=0, exec_time=1654604509, api_et=1654590060.000000000, api_lt=1654604460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590060.000000000, search_lt=1654604460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21910834, total_slices=1230264, decompressed_slices=363443, duration.command.search.index=10738, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75375, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727720, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:24:07.219, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604340_59750', total_run_time=41.92, event_count=0, result_count=0, available_count=0, scan_count=21914485, drop_count=0, exec_time=1654604390, api_et=1654589940.000000000, api_lt=1654604340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589940.000000000, search_lt=1654604340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3085", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21914485, total_slices=1227042, decompressed_slices=363418, duration.command.search.index=11335, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=103205, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727457, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:24:06.927, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604400_59786', total_run_time=40.02, event_count=0, result_count=0, available_count=0, scan_count=21912233, drop_count=0, exec_time=1654604449, api_et=1654590000.000000000, api_lt=1654604400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590000.000000000, search_lt=1654604400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3113", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912233, total_slices=1228841, decompressed_slices=363422, duration.command.search.index=11918, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89301, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11727365, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:19:27.551, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604220_59703', total_run_time=32.48, event_count=0, result_count=0, available_count=0, scan_count=21913830, drop_count=0, exec_time=1654604270, api_et=1654589820.000000000, api_lt=1654604220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589820.000000000, search_lt=1654604220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3376", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21913830, total_slices=1223793, decompressed_slices=363287, duration.command.search.index=11074, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95388, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11724500, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:19:25.141, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604160_59680', total_run_time=31.96, event_count=0, result_count=0, available_count=0, scan_count=21914738, drop_count=0, exec_time=1654604210, api_et=1654589760.000000000, api_lt=1654604160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589760.000000000, search_lt=1654604160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3189", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21914738, total_slices=1222221, decompressed_slices=363273, duration.command.search.index=11207, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95167, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725208, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:19:23.348, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654604160_59674', total_run_time=8.84, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654604171, api_et=1654599960.000000000, api_lt=1654603560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654600560.000000000, search_lt=1654604173.039479000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3557", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_398013556d6797bd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1114, eliminated_buckets=396, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=938, invocations.command.search.index.bucketcache.hit=1114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:19:23.122, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604100_59663', total_run_time=31.67, event_count=0, result_count=0, available_count=0, scan_count=21912407, drop_count=0, exec_time=1654604150, api_et=1654589700.000000000, api_lt=1654604100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589700.000000000, search_lt=1654604100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3151", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912407, total_slices=1220609, decompressed_slices=363272, duration.command.search.index=11323, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97349, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:19:23.049, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604280_59725', total_run_time=32.78, event_count=0, result_count=0, available_count=0, scan_count=21912275, drop_count=0, exec_time=1654604330, api_et=1654589880.000000000, api_lt=1654604280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589880.000000000, search_lt=1654604280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3171", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912275, total_slices=1225398, decompressed_slices=363371, duration.command.search.index=12359, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101324, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11725097, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:15:29.157, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654604040_59644', total_run_time=24.44, event_count=0, result_count=0, available_count=0, scan_count=21913289, drop_count=0, exec_time=1654604090, api_et=1654589640.000000000, api_lt=1654604040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589640.000000000, search_lt=1654604040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21913289, total_slices=1219075, decompressed_slices=363329, duration.command.search.index=9276, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74313, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11724300, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:14:58.945, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654604040_59631', total_run_time=6.84, event_count=0, result_count=0, available_count=0, scan_count=16431, drop_count=0, exec_time=1654604063, api_et=1654600440.000000000, api_lt=1654604040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654600440.000000000, search_lt=1654604065.043355000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2963", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=287, considered_events=16597, total_slices=421898, decompressed_slices=3806, duration.command.search.index=1146, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6592, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=45, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=151, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=420, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=95, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=104, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 12:14:28.955, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603980_59621', total_run_time=21.47, event_count=0, result_count=0, available_count=0, scan_count=21911467, drop_count=0, exec_time=1654604030, api_et=1654589580.000000000, api_lt=1654603980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589580.000000000, search_lt=1654603980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2642", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21911467, total_slices=1217303, decompressed_slices=363277, duration.command.search.index=8985, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63917, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11724185, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:13:29.690, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603920_59594', total_run_time=19.09, event_count=0, result_count=0, available_count=0, scan_count=21910230, drop_count=0, exec_time=1654603970, api_et=1654589520.000000000, api_lt=1654603920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589520.000000000, search_lt=1654603920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21910230, total_slices=1215631, decompressed_slices=363258, duration.command.search.index=8745, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63624, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11723137, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:12:31.693, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603860_59575', total_run_time=18.97, event_count=0, result_count=0, available_count=0, scan_count=21909952, drop_count=0, exec_time=1654603909, api_et=1654589460.000000000, api_lt=1654603860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589460.000000000, search_lt=1654603860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2733", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21909952, total_slices=1213992, decompressed_slices=363314, duration.command.search.index=8444, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60839, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11722451, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:11:29.141, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603800_59549', total_run_time=24.96, event_count=0, result_count=0, available_count=0, scan_count=21908395, drop_count=0, exec_time=1654603849, api_et=1654589400.000000000, api_lt=1654603800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589400.000000000, search_lt=1654603800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3274", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21908395, total_slices=1212472, decompressed_slices=363381, duration.command.search.index=9093, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67643, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11722434, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:11:28.914, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654603860_59558', total_run_time=4.71, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654603864, api_et=1654600260.000000000, api_lt=1654603860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654600260.000000000, search_lt=1654603866.190050000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2723", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_58f31bd8bba69dd8", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=145, eliminated_buckets=61, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=65, invocations.command.search.index.bucketcache.hit=145, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:10:29.204, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603740_59516', total_run_time=19.79, event_count=0, result_count=0, available_count=0, scan_count=21908818, drop_count=0, exec_time=1654603789, api_et=1654589340.000000000, api_lt=1654603740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589340.000000000, search_lt=1654603740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21908818, total_slices=1210842, decompressed_slices=363284, duration.command.search.index=8796, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63349, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11721846, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:09:29.001, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654603740_59508', total_run_time=20.23, event_count=4, result_count=4, available_count=0, scan_count=5229436, drop_count=0, exec_time=1654603745, api_et=1654599540.000000000, api_lt=1654603140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654599540.000000000, search_lt=1654603140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3218", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5807b30b27bfcf1b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=759, eliminated_buckets=362, considered_events=5229436, total_slices=1303866, decompressed_slices=234650, duration.command.search.index=2159, invocations.command.search.index.bucketcache.hit=759, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38419, invocations.command.search.rawdata.bucketcache.hit=15, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=92, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:09:28.944, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603680_59500', total_run_time=18.70, event_count=0, result_count=0, available_count=0, scan_count=21907316, drop_count=0, exec_time=1654603729, api_et=1654589280.000000000, api_lt=1654603680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589280.000000000, search_lt=1654603680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21907316, total_slices=1209167, decompressed_slices=363263, duration.command.search.index=8642, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58972, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11722032, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:08:29.126, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603620_59483', total_run_time=18.95, event_count=0, result_count=0, available_count=0, scan_count=21907674, drop_count=0, exec_time=1654603669, api_et=1654589220.000000000, api_lt=1654603620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589220.000000000, search_lt=1654603620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2640", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21907674, total_slices=1207470, decompressed_slices=363217, duration.command.search.index=9363, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61544, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11720477, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:08:28.927, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654603620_59486', total_run_time=15.75, event_count=1084, result_count=54, available_count=0, scan_count=338022, drop_count=0, exec_time=1654603680, api_et=1654600020.000000000, api_lt=1654603620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654600020.000000000, search_lt=1654603682.223257000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2936", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=206, considered_events=346993, total_slices=517896, decompressed_slices=100662, duration.command.search.index=3655, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=30076, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=271177, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31733, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 12:07:58.960, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654603620_59478', total_run_time=7.65, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654603646, api_et=1654600020.000000000, api_lt=1654603620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654600020.000000000, search_lt=1654603648.277185000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2918", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_092d894445e256b3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=946, invocations.command.search.index.bucketcache.hit=419, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 12:07:30.027, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603560_59463', total_run_time=21.33, event_count=0, result_count=0, available_count=0, scan_count=21908368, drop_count=0, exec_time=1654603610, api_et=1654589160.000000000, api_lt=1654603560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589160.000000000, search_lt=1654603560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2877", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21908368, total_slices=1205920, decompressed_slices=363292, duration.command.search.index=8861, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64428, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11720525, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:07:29.602, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654603200_59432', total_run_time=152.04, event_count=2696, result_count=2695, available_count=0, scan_count=1756789, drop_count=0, exec_time=1654603489, api_et=1654516800.000000000, api_lt=1654603200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654603200.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64519", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_18cbfd0541e3a9e0", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4774, considered_events=1756789, total_slices=14103383, decompressed_slices=1089726, duration.command.search.index=954543, invocations.command.search.index.bucketcache.hit=27341, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=3098, duration.command.search.index.bucketcache.miss=362098, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=251026, invocations.command.search.rawdata.bucketcache.hit=19453, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=900, duration.command.search.rawdata.bucketcache.miss=172692, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-07-2022 12:06:29.118, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603500_59449', total_run_time=24.02, event_count=0, result_count=0, available_count=0, scan_count=21909491, drop_count=0, exec_time=1654603550, api_et=1654589100.000000000, api_lt=1654603500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589100.000000000, search_lt=1654603500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3345", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21909491, total_slices=1204364, decompressed_slices=363346, duration.command.search.index=10604, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73385, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11719240, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:05:29.784, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603440_59430', total_run_time=31.28, event_count=0, result_count=0, available_count=0, scan_count=21910072, drop_count=0, exec_time=1654603489, api_et=1654589040.000000000, api_lt=1654603440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589040.000000000, search_lt=1654603440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2886", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21910072, total_slices=1202654, decompressed_slices=363329, duration.command.search.index=11903, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96185, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11718128, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:04:29.058, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603380_59388', total_run_time=31.80, event_count=0, result_count=0, available_count=0, scan_count=21909500, drop_count=0, exec_time=1654603429, api_et=1654588980.000000000, api_lt=1654603380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654588980.000000000, search_lt=1654603380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21909500, total_slices=1201180, decompressed_slices=363347, duration.command.search.index=13187, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=134887, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11719033, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:03:29.935, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603320_59342', total_run_time=30.10, event_count=0, result_count=0, available_count=0, scan_count=21907934, drop_count=0, exec_time=1654603369, api_et=1654588920.000000000, api_lt=1654603320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654588920.000000000, search_lt=1654603320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21907934, total_slices=1199361, decompressed_slices=363355, duration.command.search.index=12601, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110322, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11716401, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:02:12.375, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603260_59311', total_run_time=19.32, event_count=0, result_count=0, available_count=0, scan_count=21912973, drop_count=0, exec_time=1654603309, api_et=1654588860.000000000, api_lt=1654603260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654588860.000000000, search_lt=1654603260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21912973, total_slices=1197725, decompressed_slices=363392, duration.command.search.index=11795, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81327, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11716125, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:01:54.123, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654603200_59279', total_run_time=21.48, event_count=0, result_count=0, available_count=0, scan_count=21916371, drop_count=0, exec_time=1654603250, api_et=1654588800.000000000, api_lt=1654603200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654588800.000000000, search_lt=1654603200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=21916371, total_slices=1196156, decompressed_slices=363411, duration.command.search.index=11732, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86357, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11715565, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 12:01:53.342, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5447569e8e48a25cb_at_1654603200_59275', total_run_time=63.04, event_count=0, result_count=101, available_count=0, scan_count=0, drop_count=0, exec_time=1654603232, api_et=1654601400.000000000, api_lt=1654603200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654601400.000000000, search_lt=1654603200.000000000, is_realtime=0, savedsearch_name="DMO SOP SIR Metrics", search_startup_time="63872", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='| inputlookup dmo_conf_age.csv | search pageTitle IN ("DMOESS*", "RQ-S*") NOT pageTitle IN ("*+Retired", "*+RETIRED") | rex field=pageTitle "^(?\S+?)\+" | join usecase_id [| search earliest=-1y index=sec_snow sourcetype=snow:sn_si_incident | rex field=description "(?s)\|\s(?(RQ-|DMOESS).*)?For ServiceNow Consumption:" | stats latest(number) as latest_sir_number by _time, usecase_title | makemv usecase_title delim=" | " | mvexpand usecase_title | search usecase_title IN ("RQ-*", "DMOESS*") | stats last(latest_sir_number) as latest_sir_number latest(_time) as last_appeared_in_sir by usecase_title | rex field=usecase_title "^(?\S*)" | fields usecase_id, usecase_title, latest_sir_number, last_appeared_in_sir] | stats values(pageTitle) as conf_pageTitle, values(last_edited_by) as conf_last_edited_by, values(last_edited) as conf_last_edited, values(days) as conf_days_since_last_edit, values(pageId) as conf_pageId by last_appeared_in_sir, latest_sir_number, usecase_id, usecase_title | convert ctime(last_appeared_in_sir) | outputlookup dmo_sop_sir_metrics.csv'] Audit:[timestamp=06-07-2022 11:44:19.658, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654602180_58965', total_run_time=22.68, event_count=0, result_count=0, available_count=0, scan_count=3024, drop_count=0, exec_time=1654602217, api_et=1654598580.000000000, api_lt=1654602180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654598580.000000000, search_lt=1654602219.494938000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2373", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_675c675b2f579dbf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=3024, total_slices=1007433, decompressed_slices=846, duration.command.search.index=1148, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4892, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 11:34:32.197, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654601580_58747', total_run_time=40.71, event_count=0, result_count=0, available_count=0, scan_count=41201961, drop_count=0, exec_time=1654601606, api_et=1654597980.000000000, api_lt=1654601580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654597980.000000000, search_lt=1654601608.251425000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4348", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e653fcfec3a11120", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2357, eliminated_buckets=131, considered_events=41201961, total_slices=13924841, decompressed_slices=3951588, duration.command.search.index=15639, invocations.command.search.index.bucketcache.hit=2355, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=225682, invocations.command.search.rawdata.bucketcache.hit=269, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 11:16:48.380, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654600560_58385', total_run_time=8.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654600571, api_et=1654596360.000000000, api_lt=1654599960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654596960.000000000, search_lt=1654600573.446361000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4033", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_79b44775dbe65fa9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1115, eliminated_buckets=396, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=714, invocations.command.search.index.bucketcache.hit=1115, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 11:14:48.701, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654600440_58344', total_run_time=6.23, event_count=0, result_count=0, available_count=0, scan_count=13564, drop_count=0, exec_time=1654600463, api_et=1654596840.000000000, api_lt=1654600440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654596840.000000000, search_lt=1654600465.945880000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3031", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=417, eliminated_buckets=283, considered_events=13660, total_slices=562041, decompressed_slices=2802, duration.command.search.index=1054, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5821, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=44, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=106, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=281, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=62, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=3, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=181, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 11:12:23.547, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654600260_58279', total_run_time=4.86, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654600265, api_et=1654596660.000000000, api_lt=1654600260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654596660.000000000, search_lt=1654600267.249570000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2830", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1dc5cf7b9fedd0f6", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=59, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 11:09:40.747, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654600020_58214', total_run_time=26.63, event_count=1136, result_count=54, available_count=0, scan_count=350478, drop_count=0, exec_time=1654600080, api_et=1654596420.000000000, api_lt=1654600020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654596420.000000000, search_lt=1654600082.296734000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=205, considered_events=358143, total_slices=576257, decompressed_slices=103096, duration.command.search.index=4170, invocations.command.search.index.bucketcache.hit=416, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=33958, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=278258, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34006, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 11:09:39.931, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654600020_58209', total_run_time=6.12, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654600046, api_et=1654596420.000000000, api_lt=1654600020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654596420.000000000, search_lt=1654600048.129697000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a3b241268f782e0f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=419, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=850, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 11:09:38.623, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654600140_58232', total_run_time=18.75, event_count=0, result_count=0, available_count=0, scan_count=5141590, drop_count=0, exec_time=1654600145, api_et=1654595940.000000000, api_lt=1654599540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654595940.000000000, search_lt=1654599540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3161", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_461132bdf1d75280", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=765, eliminated_buckets=373, considered_events=5141590, total_slices=1188777, decompressed_slices=241394, duration.command.search.index=2136, invocations.command.search.index.bucketcache.hit=764, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38597, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=204, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:44:38.302, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654598580_57718', total_run_time=32.08, event_count=0, result_count=0, available_count=0, scan_count=2977, drop_count=0, exec_time=1654598619, api_et=1654594980.000000000, api_lt=1654598580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654594980.000000000, search_lt=1654598620.890812000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2848", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_472342b61d0cc605", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=109, eliminated_buckets=0, considered_events=2977, total_slices=983377, decompressed_slices=843, duration.command.search.index=1265, invocations.command.search.index.bucketcache.hit=109, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5389, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:34:26.244, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654597980_57486', total_run_time=51.16, event_count=0, result_count=0, available_count=0, scan_count=41136006, drop_count=0, exec_time=1654598006, api_et=1654594380.000000000, api_lt=1654597980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654594380.000000000, search_lt=1654598008.229056000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3791", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3bfe9c5ca9c54737", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2335, eliminated_buckets=131, considered_events=41136006, total_slices=13688822, decompressed_slices=3951434, duration.command.search.index=14594, invocations.command.search.index.bucketcache.hit=2333, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=244718, invocations.command.search.rawdata.bucketcache.hit=250, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:19:19.290, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654596960_57109', total_run_time=8.94, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654596970, api_et=1654592760.000000000, api_lt=1654596360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654593360.000000000, search_lt=1654596973.121563000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4203", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_adfddacb09bee600", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1117, eliminated_buckets=395, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=673, invocations.command.search.index.bucketcache.hit=1117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:14:39.037, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654596840_57069', total_run_time=9.18, event_count=0, result_count=0, available_count=0, scan_count=13145, drop_count=0, exec_time=1654596863, api_et=1654593240.000000000, api_lt=1654596840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654593240.000000000, search_lt=1654596865.290500000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2839", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=421, eliminated_buckets=290, considered_events=13204, total_slices=802751, decompressed_slices=3263, duration.command.search.index=1359, invocations.command.search.index.bucketcache.hit=421, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7336, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=39, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=141, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=316, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=76, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=94, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 10:11:23.201, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654596660_57003', total_run_time=4.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654596664, api_et=1654593060.000000000, api_lt=1654596660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654593060.000000000, search_lt=1654596666.417667000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2820", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b2252fe43f45ea3e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=60, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=62, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:10:09.132, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654596540_56958', total_run_time=36.99, event_count=0, result_count=0, available_count=0, scan_count=4954469, drop_count=0, exec_time=1654596545, api_et=1654592340.000000000, api_lt=1654595940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592340.000000000, search_lt=1654595940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3302", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bd63ccef99847d62", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=763, eliminated_buckets=367, considered_events=4954469, total_slices=1070956, decompressed_slices=233894, duration.command.search.index=2322, invocations.command.search.index.bucketcache.hit=757, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39985, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=398, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:08:55.241, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654596420_56934', total_run_time=9.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654596446, api_et=1654592820.000000000, api_lt=1654596420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592820.000000000, search_lt=1654596448.605378000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2901", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5b24f8867e8bb174", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=206, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1241, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 10:08:54.550, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654596420_56939', total_run_time=28.74, event_count=1136, result_count=55, available_count=0, scan_count=346265, drop_count=0, exec_time=1654596480, api_et=1654592820.000000000, api_lt=1654596420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654592820.000000000, search_lt=1654596482.487833000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2867", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=206, considered_events=355593, total_slices=771160, decompressed_slices=120627, duration.command.search.index=6082, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=49197, invocations.command.search.rawdata.bucketcache.hit=8, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=278251, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=31664, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 09:45:55.423, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654594380_56224', total_run_time=69.36, event_count=0, result_count=0, available_count=0, scan_count=41030875, drop_count=0, exec_time=1654594405, api_et=1654590780.000000000, api_lt=1654594380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654590780.000000000, search_lt=1654594407.084277000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_85bccac163aec8b5", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2324, eliminated_buckets=131, considered_events=41030875, total_slices=13533484, decompressed_slices=3888910, duration.command.search.index=15493, invocations.command.search.index.bucketcache.hit=2319, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=261909, invocations.command.search.rawdata.bucketcache.hit=232, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:45:54.786, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654594980_56443', total_run_time=28.79, event_count=0, result_count=0, available_count=0, scan_count=3097, drop_count=0, exec_time=1654595018, api_et=1654591380.000000000, api_lt=1654594980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654591380.000000000, search_lt=1654595020.779981000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2982", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_62ea43b2ca6037b7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=109, eliminated_buckets=0, considered_events=3097, total_slices=909864, decompressed_slices=803, duration.command.search.index=1211, invocations.command.search.index.bucketcache.hit=109, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5100, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:16:48.412, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654593360_55856', total_run_time=12.68, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654593371, api_et=1654589160.000000000, api_lt=1654592760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589760.000000000, search_lt=1654593373.257644000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3678", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a67c6ed3a8443527", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1114, eliminated_buckets=395, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=668, invocations.command.search.index.bucketcache.hit=1114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:14:48.416, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654593240_55816', total_run_time=6.00, event_count=0, result_count=0, available_count=0, scan_count=12755, drop_count=0, exec_time=1654593263, api_et=1654589640.000000000, api_lt=1654593240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589640.000000000, search_lt=1654593265.046001000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=425, eliminated_buckets=294, considered_events=12755, total_slices=901844, decompressed_slices=3004, duration.command.search.index=1065, invocations.command.search.index.bucketcache.hit=425, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6167, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=35, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=145, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=321, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=75, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=164, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=2, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 09:11:16.684, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654593060_55748', total_run_time=4.62, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654593064, api_et=1654589460.000000000, api_lt=1654593060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589460.000000000, search_lt=1654593066.326909000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2306", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_453b8a96673c46fd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=59, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:09:32.048, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654592940_55701', total_run_time=19.54, event_count=0, result_count=0, available_count=0, scan_count=5067213, drop_count=0, exec_time=1654592945, api_et=1654588740.000000000, api_lt=1654592340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654588740.000000000, search_lt=1654592340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3030", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_41795f93cc5b7a09", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=780, eliminated_buckets=375, considered_events=5067213, total_slices=1040544, decompressed_slices=228274, duration.command.search.index=2096, invocations.command.search.index.bucketcache.hit=775, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37882, invocations.command.search.rawdata.bucketcache.hit=17, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=121, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:08:32.082, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654592820_55682', total_run_time=17.83, event_count=1461, result_count=54, available_count=0, scan_count=341147, drop_count=0, exec_time=1654592880, api_et=1654589220.000000000, api_lt=1654592820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589220.000000000, search_lt=1654592882.138356000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2828", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=203, considered_events=345035, total_slices=772400, decompressed_slices=211659, duration.command.search.index=5226, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47112, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=6, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=280546, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=29205, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 09:07:47.311, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654592820_55677', total_run_time=6.24, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654592846, api_et=1654589220.000000000, api_lt=1654592820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654589220.000000000, search_lt=1654592848.146838000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2782", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6555b67906ef7a65", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=422, eliminated_buckets=203, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1705, invocations.command.search.index.bucketcache.hit=422, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 09:00:08.793, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592340_55471', total_run_time=16.57, event_count=0, result_count=0, available_count=0, scan_count=22047810, drop_count=0, exec_time=1654592390, api_et=1654577940.000000000, api_lt=1654592340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577940.000000000, search_lt=1654592340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3397", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=22047810, total_slices=984039, decompressed_slices=364939, duration.command.search.index=7549, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63877, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11616944, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:59:08.490, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592280_55458', total_run_time=14.16, event_count=0, result_count=0, available_count=0, scan_count=22045358, drop_count=0, exec_time=1654592329, api_et=1654577880.000000000, api_lt=1654592280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577880.000000000, search_lt=1654592280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3364", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=22045358, total_slices=982319, decompressed_slices=364948, duration.command.search.index=7825, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56535, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11615008, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:58:08.534, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592220_55441', total_run_time=15.87, event_count=0, result_count=0, available_count=0, scan_count=22043658, drop_count=0, exec_time=1654592270, api_et=1654577820.000000000, api_lt=1654592220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577820.000000000, search_lt=1654592220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=22043658, total_slices=980704, decompressed_slices=365042, duration.command.search.index=8393, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59917, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11612849, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:57:08.569, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592160_55423', total_run_time=15.00, event_count=0, result_count=0, available_count=0, scan_count=22038986, drop_count=0, exec_time=1654592210, api_et=1654577760.000000000, api_lt=1654592160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577760.000000000, search_lt=1654592160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2753", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=22038986, total_slices=979141, decompressed_slices=365058, duration.command.search.index=7872, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57544, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11609902, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:56:08.582, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592100_55412', total_run_time=13.82, event_count=0, result_count=0, available_count=0, scan_count=22032458, drop_count=0, exec_time=1654592149, api_et=1654577700.000000000, api_lt=1654592100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577700.000000000, search_lt=1654592100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2610", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=22032458, total_slices=1004185, decompressed_slices=364973, duration.command.search.index=8245, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55407, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11606057, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:55:46.279, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654592040_55396', total_run_time=15.74, event_count=0, result_count=0, available_count=0, scan_count=22028398, drop_count=0, exec_time=1654592090, api_et=1654577640.000000000, api_lt=1654592040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577640.000000000, search_lt=1654592040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2730", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=22028398, total_slices=1002547, decompressed_slices=364971, duration.command.search.index=8445, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=54933, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11602972, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:54:08.588, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591980_55379', total_run_time=16.20, event_count=0, result_count=0, available_count=0, scan_count=22024814, drop_count=0, exec_time=1654592030, api_et=1654577580.000000000, api_lt=1654591980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577580.000000000, search_lt=1654591980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3208", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=112, eliminated_buckets=0, considered_events=22024814, total_slices=1000908, decompressed_slices=364932, duration.command.search.index=9030, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57287, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11600449, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:53:38.501, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591920_55354', total_run_time=18.49, event_count=0, result_count=0, available_count=0, scan_count=22020503, drop_count=0, exec_time=1654591970, api_et=1654577520.000000000, api_lt=1654591920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577520.000000000, search_lt=1654591920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22020503, total_slices=999296, decompressed_slices=364954, duration.command.search.index=8937, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66742, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11598312, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:52:27.177, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591860_55337', total_run_time=15.86, event_count=0, result_count=0, available_count=0, scan_count=22016126, drop_count=0, exec_time=1654591909, api_et=1654577460.000000000, api_lt=1654591860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577460.000000000, search_lt=1654591860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22016126, total_slices=997796, decompressed_slices=364949, duration.command.search.index=9211, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59326, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11596252, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:52:03.024, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591800_55312', total_run_time=18.61, event_count=0, result_count=0, available_count=0, scan_count=22013055, drop_count=0, exec_time=1654591850, api_et=1654577400.000000000, api_lt=1654591800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577400.000000000, search_lt=1654591800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3029", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22013055, total_slices=996152, decompressed_slices=364854, duration.command.search.index=9168, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65153, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11593496, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:52:02.074, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591740_55277', total_run_time=21.70, event_count=0, result_count=0, available_count=0, scan_count=22010529, drop_count=0, exec_time=1654591791, api_et=1654577340.000000000, api_lt=1654591740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577340.000000000, search_lt=1654591740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3560", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22010529, total_slices=994487, decompressed_slices=364881, duration.command.search.index=8607, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65980, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11593740, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:49:17.921, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591680_55254', total_run_time=16.25, event_count=0, result_count=0, available_count=0, scan_count=22003642, drop_count=0, exec_time=1654591730, api_et=1654577280.000000000, api_lt=1654591680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577280.000000000, search_lt=1654591680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3266", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=22003642, total_slices=992916, decompressed_slices=364726, duration.command.search.index=8316, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57525, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11590994, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:48:19.756, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591620_55237', total_run_time=14.83, event_count=0, result_count=0, available_count=0, scan_count=21998197, drop_count=0, exec_time=1654591670, api_et=1654577220.000000000, api_lt=1654591620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577220.000000000, search_lt=1654591620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3032", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=21998197, total_slices=991205, decompressed_slices=364646, duration.command.search.index=8099, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57578, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11589166, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:47:19.272, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591560_55215', total_run_time=14.02, event_count=0, result_count=0, available_count=0, scan_count=21993503, drop_count=0, exec_time=1654591610, api_et=1654577160.000000000, api_lt=1654591560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577160.000000000, search_lt=1654591560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3160", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=21993503, total_slices=989643, decompressed_slices=364563, duration.command.search.index=8097, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=55163, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11586918, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:46:18.691, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591500_55197', total_run_time=14.18, event_count=0, result_count=0, available_count=0, scan_count=21992186, drop_count=0, exec_time=1654591551, api_et=1654577100.000000000, api_lt=1654591500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577100.000000000, search_lt=1654591500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2998", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=21992186, total_slices=988050, decompressed_slices=364640, duration.command.search.index=8146, invocations.command.search.index.bucketcache.hit=112, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59039, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11585330, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:45:08.611, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591440_55175', total_run_time=15.44, event_count=0, result_count=0, available_count=0, scan_count=21989068, drop_count=0, exec_time=1654591490, api_et=1654577040.000000000, api_lt=1654591440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577040.000000000, search_lt=1654591440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2838", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=21989068, total_slices=986440, decompressed_slices=364711, duration.command.search.index=8324, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58215, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11583642, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:50.128, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591320_55125', total_run_time=16.13, event_count=0, result_count=0, available_count=0, scan_count=21978282, drop_count=0, exec_time=1654591369, api_et=1654576920.000000000, api_lt=1654591320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576920.000000000, search_lt=1654591320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2777", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21978282, total_slices=1009599, decompressed_slices=364577, duration.command.search.index=8811, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60973, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11580801, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:48.941, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591200_55076', total_run_time=16.12, event_count=0, result_count=0, available_count=0, scan_count=21967976, drop_count=0, exec_time=1654591249, api_et=1654576800.000000000, api_lt=1654591200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576800.000000000, search_lt=1654591200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21967976, total_slices=1006521, decompressed_slices=364421, duration.command.search.index=9318, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62735, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11576972, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:48.353, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591140_55041', total_run_time=17.73, event_count=0, result_count=0, available_count=0, scan_count=21966001, drop_count=0, exec_time=1654591189, api_et=1654576740.000000000, api_lt=1654591140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576740.000000000, search_lt=1654591140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21966001, total_slices=1004748, decompressed_slices=364440, duration.command.search.index=8156, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57696, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11574882, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:47.444, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591380_55154', total_run_time=15.36, event_count=0, result_count=0, available_count=0, scan_count=21985231, drop_count=0, exec_time=1654591430, api_et=1654576980.000000000, api_lt=1654591380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576980.000000000, search_lt=1654591380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3267", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21985231, total_slices=1011226, decompressed_slices=364682, duration.command.search.index=8605, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56202, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11583479, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:47.261, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591260_55102', total_run_time=22.94, event_count=0, result_count=0, available_count=0, scan_count=21972829, drop_count=0, exec_time=1654591309, api_et=1654576860.000000000, api_lt=1654591260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576860.000000000, search_lt=1654591260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21972829, total_slices=1008025, decompressed_slices=364474, duration.command.search.index=8658, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62226, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11578901, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:44:45.503, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654591380_55151', total_run_time=23.47, event_count=0, result_count=0, available_count=0, scan_count=3202, drop_count=0, exec_time=1654591418, api_et=1654587780.000000000, api_lt=1654591380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654587780.000000000, search_lt=1654591420.091689000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2899", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2f04bf89c1451858", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=110, eliminated_buckets=0, considered_events=3202, total_slices=719462, decompressed_slices=845, duration.command.search.index=1167, invocations.command.search.index.bucketcache.hit=110, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4820, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:39:12.086, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591080_55025', total_run_time=15.89, event_count=0, result_count=0, available_count=0, scan_count=21962931, drop_count=0, exec_time=1654591130, api_et=1654576680.000000000, api_lt=1654591080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576680.000000000, search_lt=1654591080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2629", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21962931, total_slices=1003270, decompressed_slices=364428, duration.command.search.index=7951, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59256, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11573685, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:38:42.397, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590960_54995', total_run_time=14.67, event_count=0, result_count=0, available_count=0, scan_count=21947100, drop_count=0, exec_time=1654591009, api_et=1654576560.000000000, api_lt=1654590960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576560.000000000, search_lt=1654590960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2863", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21947100, total_slices=999849, decompressed_slices=364287, duration.command.search.index=7961, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=56909, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11570194, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:38:42.319, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590900_54985', total_run_time=15.65, event_count=0, result_count=0, available_count=0, scan_count=21941056, drop_count=0, exec_time=1654590950, api_et=1654576500.000000000, api_lt=1654590900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576500.000000000, search_lt=1654590900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21941056, total_slices=998246, decompressed_slices=364175, duration.command.search.index=8063, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57718, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11567616, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:38:40.919, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590840_54964', total_run_time=19.22, event_count=0, result_count=0, available_count=0, scan_count=21938796, drop_count=0, exec_time=1654590889, api_et=1654576440.000000000, api_lt=1654590840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576440.000000000, search_lt=1654590840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21938796, total_slices=996668, decompressed_slices=364166, duration.command.search.index=8404, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61596, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11566344, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:38:38.923, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654591020_55010', total_run_time=14.82, event_count=0, result_count=0, available_count=0, scan_count=21954391, drop_count=0, exec_time=1654591070, api_et=1654576620.000000000, api_lt=1654591020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576620.000000000, search_lt=1654591020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2800", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21954391, total_slices=1001511, decompressed_slices=364300, duration.command.search.index=8125, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=57228, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11571311, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:34:21.977, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590780_54928', total_run_time=27.57, event_count=0, result_count=0, available_count=0, scan_count=21935694, drop_count=0, exec_time=1654590829, api_et=1654576380.000000000, api_lt=1654590780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576380.000000000, search_lt=1654590780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2628", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21935694, total_slices=995033, decompressed_slices=364180, duration.command.search.index=10521, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73571, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11565960, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:34:21.718, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654590780_54914', total_run_time=39.68, event_count=0, result_count=0, available_count=0, scan_count=40795882, drop_count=0, exec_time=1654590805, api_et=1654587180.000000000, api_lt=1654590780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654587180.000000000, search_lt=1654590807.161838000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5f494f722dee526e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2344, eliminated_buckets=131, considered_events=40795882, total_slices=13684070, decompressed_slices=3864717, duration.command.search.index=14282, invocations.command.search.index.bucketcache.hit=2336, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=220785, invocations.command.search.rawdata.bucketcache.hit=246, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:33:21.828, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590720_54892', total_run_time=27.56, event_count=0, result_count=0, available_count=0, scan_count=21926254, drop_count=0, exec_time=1654590769, api_et=1654576320.000000000, api_lt=1654590720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576320.000000000, search_lt=1654590720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2633", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21926254, total_slices=993286, decompressed_slices=364062, duration.command.search.index=10314, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75097, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11563819, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:32:21.846, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590660_54863', total_run_time=24.22, event_count=0, result_count=0, available_count=0, scan_count=21919135, drop_count=0, exec_time=1654590709, api_et=1654576260.000000000, api_lt=1654590660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576260.000000000, search_lt=1654590660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3218", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21919135, total_slices=991744, decompressed_slices=363978, duration.command.search.index=9456, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67006, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11562390, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:31:21.505, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590600_54835', total_run_time=29.49, event_count=0, result_count=0, available_count=0, scan_count=21912955, drop_count=0, exec_time=1654590650, api_et=1654576200.000000000, api_lt=1654590600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576200.000000000, search_lt=1654590600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2702", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21912955, total_slices=990127, decompressed_slices=364018, duration.command.search.index=10978, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81574, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11560851, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:30:24.883, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590540_54793', total_run_time=29.54, event_count=0, result_count=0, available_count=0, scan_count=21906918, drop_count=0, exec_time=1654590590, api_et=1654576140.000000000, api_lt=1654590540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576140.000000000, search_lt=1654590540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2634", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21906918, total_slices=988422, decompressed_slices=363986, duration.command.search.index=8200, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65966, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11560582, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:29:21.645, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590480_54779', total_run_time=16.64, event_count=0, result_count=0, available_count=0, scan_count=21902914, drop_count=0, exec_time=1654590529, api_et=1654576080.000000000, api_lt=1654590480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576080.000000000, search_lt=1654590480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2626", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21902914, total_slices=986613, decompressed_slices=363924, duration.command.search.index=8489, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58680, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11562659, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:28:21.440, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590420_54765', total_run_time=18.89, event_count=0, result_count=0, available_count=0, scan_count=21894595, drop_count=0, exec_time=1654590469, api_et=1654576020.000000000, api_lt=1654590420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576020.000000000, search_lt=1654590420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21894595, total_slices=985098, decompressed_slices=363854, duration.command.search.index=8593, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59716, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11560491, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:27:21.724, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590360_54747', total_run_time=17.03, event_count=0, result_count=0, available_count=0, scan_count=21889971, drop_count=0, exec_time=1654590410, api_et=1654575960.000000000, api_lt=1654590360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575960.000000000, search_lt=1654590360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2655", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21889971, total_slices=983510, decompressed_slices=363731, duration.command.search.index=8192, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58895, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11560433, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:26:21.818, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590300_54730', total_run_time=19.50, event_count=0, result_count=0, available_count=0, scan_count=21888029, drop_count=0, exec_time=1654590349, api_et=1654575900.000000000, api_lt=1654590300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575900.000000000, search_lt=1654590300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3159", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21888029, total_slices=981966, decompressed_slices=363714, duration.command.search.index=8453, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60277, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11559510, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:25:22.666, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590240_54717', total_run_time=23.28, event_count=0, result_count=0, available_count=0, scan_count=21888275, drop_count=0, exec_time=1654590289, api_et=1654575840.000000000, api_lt=1654590240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575840.000000000, search_lt=1654590240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21888275, total_slices=980331, decompressed_slices=363811, duration.command.search.index=8847, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61919, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11560485, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:37.624, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590180_54699', total_run_time=20.22, event_count=0, result_count=0, available_count=0, scan_count=21888428, drop_count=0, exec_time=1654590229, api_et=1654575780.000000000, api_lt=1654590180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575780.000000000, search_lt=1654590180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2731", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21888428, total_slices=978762, decompressed_slices=363832, duration.command.search.index=9170, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63617, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11561027, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:06.181, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590060_54650', total_run_time=19.98, event_count=0, result_count=0, available_count=0, scan_count=21880170, drop_count=0, exec_time=1654590110, api_et=1654575660.000000000, api_lt=1654590060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575660.000000000, search_lt=1654590060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21880170, total_slices=975641, decompressed_slices=363786, duration.command.search.index=9618, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64306, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555939, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:06.038, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654590000_54626', total_run_time=21.48, event_count=11556063, result_count=15, available_count=0, scan_count=21879902, drop_count=0, exec_time=1654590063, api_et=1654575600.000000000, api_lt=1654590000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575600.000000000, search_lt=1654590000.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="3122", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21879902, total_slices=974365, decompressed_slices=363909, duration.command.search.index=9178, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59710, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11556063, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:05.952, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590120_54666', total_run_time=25.60, event_count=0, result_count=0, available_count=0, scan_count=21885038, drop_count=0, exec_time=1654590170, api_et=1654575720.000000000, api_lt=1654590120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575720.000000000, search_lt=1654590120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3198", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21885038, total_slices=977109, decompressed_slices=363875, duration.command.search.index=9928, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68227, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11559070, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:04.981, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589940_54582', total_run_time=24.97, event_count=0, result_count=0, available_count=0, scan_count=21876909, drop_count=0, exec_time=1654589990, api_et=1654575540.000000000, api_lt=1654589940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575540.000000000, search_lt=1654589940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3106", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21876909, total_slices=972522, decompressed_slices=363939, duration.command.search.index=9662, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=71416, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555371, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:24:03.803, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654590000_54620', total_run_time=23.01, event_count=0, result_count=0, available_count=0, scan_count=21879906, drop_count=0, exec_time=1654590051, api_et=1654575600.000000000, api_lt=1654590000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575600.000000000, search_lt=1654590000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3007", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21879906, total_slices=974096, decompressed_slices=363909, duration.command.search.index=9279, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67565, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11556063, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:19:40.834, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589880_54557', total_run_time=22.85, event_count=0, result_count=0, available_count=0, scan_count=21877501, drop_count=0, exec_time=1654589930, api_et=1654575480.000000000, api_lt=1654589880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575480.000000000, search_lt=1654589880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3100", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21877501, total_slices=970060, decompressed_slices=363973, duration.command.search.index=9769, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75972, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11556535, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:18:12.060, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589820_54537', total_run_time=21.25, event_count=0, result_count=0, available_count=0, scan_count=21875098, drop_count=0, exec_time=1654589870, api_et=1654575420.000000000, api_lt=1654589820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575420.000000000, search_lt=1654589820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3323", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21875098, total_slices=969253, decompressed_slices=363970, duration.command.search.index=10022, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74714, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555585, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:17:12.446, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589760_54512', total_run_time=18.10, event_count=0, result_count=0, available_count=0, scan_count=21871208, drop_count=0, exec_time=1654589810, api_et=1654575360.000000000, api_lt=1654589760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575360.000000000, search_lt=1654589760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3110", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21871208, total_slices=967680, decompressed_slices=363888, duration.command.search.index=9782, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=73345, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11554478, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:16:41.496, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654589760_54506', total_run_time=8.82, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654589771, api_et=1654585560.000000000, api_lt=1654589160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654586160.000000000, search_lt=1654589772.810944000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3668", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_435d5a1868c92941", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1116, eliminated_buckets=398, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=709, invocations.command.search.index.bucketcache.hit=1116, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:16:11.159, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589700_54495', total_run_time=19.58, event_count=0, result_count=0, available_count=0, scan_count=21869143, drop_count=0, exec_time=1654589750, api_et=1654575300.000000000, api_lt=1654589700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575300.000000000, search_lt=1654589700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3118", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21869143, total_slices=966220, decompressed_slices=363849, duration.command.search.index=9334, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67721, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11552127, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:15:10.915, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589640_54476', total_run_time=16.50, event_count=0, result_count=0, available_count=0, scan_count=21869802, drop_count=0, exec_time=1654589690, api_et=1654575240.000000000, api_lt=1654589640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575240.000000000, search_lt=1654589640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2799", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21869802, total_slices=964539, decompressed_slices=363927, duration.command.search.index=7868, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58992, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11552454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:14:40.897, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654589640_54463', total_run_time=4.53, event_count=0, result_count=0, available_count=0, scan_count=14237, drop_count=0, exec_time=1654589664, api_et=1654586040.000000000, api_lt=1654589640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654586040.000000000, search_lt=1654589665.900997000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2882", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=283, considered_events=14363, total_slices=864358, decompressed_slices=2914, duration.command.search.index=1077, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5788, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=94, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=218, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=230, sourcetype_count__crowdstrike:falcon:fdr:RtfFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 08:14:10.996, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589580_54453', total_run_time=16.22, event_count=0, result_count=0, available_count=0, scan_count=21869167, drop_count=0, exec_time=1654589630, api_et=1654575180.000000000, api_lt=1654589580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575180.000000000, search_lt=1654589580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2783", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21869167, total_slices=962890, decompressed_slices=363956, duration.command.search.index=8125, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=58907, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551454, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:13:41.033, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589520_54425', total_run_time=22.50, event_count=0, result_count=0, available_count=0, scan_count=21865942, drop_count=0, exec_time=1654589569, api_et=1654575120.000000000, api_lt=1654589520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575120.000000000, search_lt=1654589520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3195", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21865942, total_slices=961464, decompressed_slices=363951, duration.command.search.index=8430, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63117, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550390, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:12:13.235, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589460_54406', total_run_time=19.25, event_count=0, result_count=0, available_count=0, scan_count=21866008, drop_count=0, exec_time=1654589509, api_et=1654575060.000000000, api_lt=1654589460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575060.000000000, search_lt=1654589460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3199", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21866008, total_slices=959758, decompressed_slices=363899, duration.command.search.index=8355, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61211, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11550918, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:11:43.243, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589400_54381', total_run_time=27.19, event_count=0, result_count=0, available_count=0, scan_count=21867359, drop_count=0, exec_time=1654589450, api_et=1654575000.000000000, api_lt=1654589400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575000.000000000, search_lt=1654589400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2695", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21867359, total_slices=958278, decompressed_slices=363892, duration.command.search.index=9052, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66665, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11551443, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:11:43.045, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654589460_54388', total_run_time=4.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654589467, api_et=1654585860.000000000, api_lt=1654589460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654585860.000000000, search_lt=1654589469.265929000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2828", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_17b29164eb8f6884", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=58, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=58, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:10:38.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589340_54349', total_run_time=23.48, event_count=0, result_count=0, available_count=0, scan_count=21870314, drop_count=0, exec_time=1654589389, api_et=1654574940.000000000, api_lt=1654589340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574940.000000000, search_lt=1654589340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2736", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21870314, total_slices=956615, decompressed_slices=363937, duration.command.search.index=8928, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66151, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11553375, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:09:41.085, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589280_54333', total_run_time=20.96, event_count=0, result_count=0, available_count=0, scan_count=21872768, drop_count=0, exec_time=1654589330, api_et=1654574880.000000000, api_lt=1654589280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574880.000000000, search_lt=1654589280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2714", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21872768, total_slices=954901, decompressed_slices=363980, duration.command.search.index=9216, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61277, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11554709, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:09:40.828, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654589340_54341', total_run_time=18.36, event_count=1, result_count=1, available_count=0, scan_count=5007639, drop_count=0, exec_time=1654589345, api_et=1654585140.000000000, api_lt=1654588740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654585140.000000000, search_lt=1654588740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3242", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_5844a6a49835f16c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=376, considered_events=5007639, total_slices=1036125, decompressed_slices=224162, duration.command.search.index=2029, invocations.command.search.index.bucketcache.hit=773, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36059, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=273, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:08:40.856, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654589220_54319', total_run_time=16.58, event_count=1170, result_count=54, available_count=0, scan_count=363071, drop_count=0, exec_time=1654589280, api_et=1654585620.000000000, api_lt=1654589220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654585620.000000000, search_lt=1654589282.251697000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2936", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=197, considered_events=366705, total_slices=472128, decompressed_slices=111804, duration.command.search.index=3475, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=31255, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=294220, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34501, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 08:08:10.876, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589220_54316', total_run_time=18.04, event_count=0, result_count=0, available_count=0, scan_count=21871284, drop_count=0, exec_time=1654589269, api_et=1654574820.000000000, api_lt=1654589220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574820.000000000, search_lt=1654589220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2620", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21871284, total_slices=953208, decompressed_slices=363919, duration.command.search.index=8732, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62657, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555435, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:07:40.894, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654589220_54311', total_run_time=5.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654589246, api_et=1654585620.000000000, api_lt=1654589220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654585620.000000000, search_lt=1654589248.381417000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2904", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_098005952227fd35", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=783, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 08:07:40.803, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589160_54294', total_run_time=21.95, event_count=0, result_count=0, available_count=0, scan_count=21869140, drop_count=0, exec_time=1654589209, api_et=1654574760.000000000, api_lt=1654589160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574760.000000000, search_lt=1654589160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2631", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21869140, total_slices=951681, decompressed_slices=363854, duration.command.search.index=9525, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67453, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555081, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:06:27.146, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589100_54280', total_run_time=20.88, event_count=0, result_count=0, available_count=0, scan_count=21868184, drop_count=0, exec_time=1654589150, api_et=1654574700.000000000, api_lt=1654589100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574700.000000000, search_lt=1654589100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3191", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21868184, total_slices=950053, decompressed_slices=363921, duration.command.search.index=9157, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69706, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555016, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:06:26.526, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654589040_54263', total_run_time=36.97, event_count=0, result_count=0, available_count=0, scan_count=21866623, drop_count=0, exec_time=1654589090, api_et=1654574640.000000000, api_lt=1654589040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574640.000000000, search_lt=1654589040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2929", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21866623, total_slices=948329, decompressed_slices=363957, duration.command.search.index=11354, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92324, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11554737, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:04:47.673, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654588980_54221', total_run_time=44.59, event_count=0, result_count=0, available_count=0, scan_count=21865542, drop_count=0, exec_time=1654589030, api_et=1654574580.000000000, api_lt=1654588980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574580.000000000, search_lt=1654588980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2685", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21865542, total_slices=946748, decompressed_slices=363968, duration.command.search.index=12824, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=121923, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11553546, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:03:47.603, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654588920_54173', total_run_time=46.63, event_count=0, result_count=0, available_count=0, scan_count=21862279, drop_count=0, exec_time=1654588969, api_et=1654574520.000000000, api_lt=1654588920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574520.000000000, search_lt=1654588920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2681", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21862279, total_slices=945156, decompressed_slices=363930, duration.command.search.index=12001, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=104690, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11552479, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:02:47.198, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654588860_54142', total_run_time=34.81, event_count=0, result_count=0, available_count=0, scan_count=21860879, drop_count=0, exec_time=1654588909, api_et=1654574460.000000000, api_lt=1654588860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574460.000000000, search_lt=1654588860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2700", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21860879, total_slices=943556, decompressed_slices=363883, duration.command.search.index=9923, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77966, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11555819, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 08:01:47.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654588800_54111', total_run_time=53.40, event_count=0, result_count=0, available_count=0, scan_count=21858881, drop_count=0, exec_time=1654588849, api_et=1654574400.000000000, api_lt=1654588800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574400.000000000, search_lt=1654588800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2941", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=21858881, total_slices=941956, decompressed_slices=363799, duration.command.search.index=13158, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=113606, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11554289, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 07:44:20.011, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654587780_53797', total_run_time=34.17, event_count=0, result_count=0, available_count=0, scan_count=3594, drop_count=0, exec_time=1654587818, api_et=1654584180.000000000, api_lt=1654587780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654584180.000000000, search_lt=1654587820.555737000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2991", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ba9b52c71ce969d3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=3594, total_slices=665984, decompressed_slices=840, duration.command.search.index=1426, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5197, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 07:34:17.147, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654587180_53579', total_run_time=35.30, event_count=0, result_count=0, available_count=0, scan_count=40853617, drop_count=0, exec_time=1654587205, api_et=1654583580.000000000, api_lt=1654587180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654583580.000000000, search_lt=1654587207.566328000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3932", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_1d33490808b5f701", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2323, eliminated_buckets=131, considered_events=40853617, total_slices=13309932, decompressed_slices=3814637, duration.command.search.index=14193, invocations.command.search.index.bucketcache.hit=2318, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=215882, invocations.command.search.rawdata.bucketcache.hit=226, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 07:16:44.044, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654586160_53215', total_run_time=9.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654586171, api_et=1654581960.000000000, api_lt=1654585560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654582560.000000000, search_lt=1654586173.193496000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cc02506e43c7a227", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1120, eliminated_buckets=402, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=713, invocations.command.search.index.bucketcache.hit=1120, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 07:14:43.882, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654586040_53175', total_run_time=10.34, event_count=0, result_count=0, available_count=0, scan_count=15625, drop_count=0, exec_time=1654586063, api_et=1654582440.000000000, api_lt=1654586040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654582440.000000000, search_lt=1654586065.567369000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2974", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=283, considered_events=15717, total_slices=819722, decompressed_slices=3496, duration.command.search.index=1008, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6484, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=55, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=162, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=323, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=75, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=265, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=5, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 07:11:14.150, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654585860_53109', total_run_time=4.88, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654585864, api_et=1654582260.000000000, api_lt=1654585860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654582260.000000000, search_lt=1654585866.534473000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2835", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b70e7935b52e4de2", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=58, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 07:09:43.794, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654585740_53065', total_run_time=29.79, event_count=0, result_count=0, available_count=0, scan_count=5141284, drop_count=0, exec_time=1654585745, api_et=1654581540.000000000, api_lt=1654585140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654581540.000000000, search_lt=1654585140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3104", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_094ac03b71075db1", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=771, eliminated_buckets=377, considered_events=5141284, total_slices=1001640, decompressed_slices=223413, duration.command.search.index=2261, invocations.command.search.index.bucketcache.hit=770, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=38447, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=184, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 07:08:44.928, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654585620_53047', total_run_time=27.63, event_count=1085, result_count=55, available_count=0, scan_count=339668, drop_count=0, exec_time=1654585680, api_et=1654582020.000000000, api_lt=1654585620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654582020.000000000, search_lt=1654585682.266887000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2902", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=197, considered_events=348128, total_slices=468871, decompressed_slices=116048, duration.command.search.index=4557, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37766, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=274874, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=32144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 07:07:43.841, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654585620_53042', total_run_time=9.13, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654585646, api_et=1654582020.000000000, api_lt=1654585620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654582020.000000000, search_lt=1654585648.215053000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2781", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dadf0811c1314f03", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1090, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:44:14.242, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654584180_52542', total_run_time=28.30, event_count=0, result_count=0, available_count=0, scan_count=2748, drop_count=0, exec_time=1654584218, api_et=1654580580.000000000, api_lt=1654584180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654580580.000000000, search_lt=1654584220.465642000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3049", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e2a3eda41af4d32c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=2748, total_slices=583942, decompressed_slices=850, duration.command.search.index=1231, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4862, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:34:12.342, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654583580_52318', total_run_time=43.53, event_count=0, result_count=0, available_count=0, scan_count=40470369, drop_count=0, exec_time=1654583605, api_et=1654579980.000000000, api_lt=1654583580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654579980.000000000, search_lt=1654583607.740487000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3748", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_46efa08930633216", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2334, eliminated_buckets=131, considered_events=40470369, total_slices=13316639, decompressed_slices=3750607, duration.command.search.index=14696, invocations.command.search.index.bucketcache.hit=2328, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=226974, invocations.command.search.rawdata.bucketcache.hit=232, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:16:36.200, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654582560_51938', total_run_time=9.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654582570, api_et=1654578360.000000000, api_lt=1654581960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654578960.000000000, search_lt=1654582572.622441000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3608", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_3d7996254e32dfb9", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1121, eliminated_buckets=404, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=689, invocations.command.search.index.bucketcache.hit=1121, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:14:35.288, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654582440_51898', total_run_time=7.92, event_count=0, result_count=0, available_count=0, scan_count=12751, drop_count=0, exec_time=1654582463, api_et=1654578840.000000000, api_lt=1654582440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654578840.000000000, search_lt=1654582465.786964000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3039", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=416, eliminated_buckets=290, considered_events=12751, total_slices=741426, decompressed_slices=3173, duration.command.search.index=1890, invocations.command.search.index.bucketcache.hit=415, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5987, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=101, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=255, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=62, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=117, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=1, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 06:11:33.465, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654582140_51785', total_run_time=24.72, event_count=0, result_count=0, available_count=0, scan_count=4782874, drop_count=0, exec_time=1654582145, api_et=1654577940.000000000, api_lt=1654581540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654577940.000000000, search_lt=1654581540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3069", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a55b6953fabcb1b0", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=774, eliminated_buckets=384, considered_events=4782874, total_slices=954739, decompressed_slices=213302, duration.command.search.index=2197, invocations.command.search.index.bucketcache.hit=771, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=37667, invocations.command.search.rawdata.bucketcache.hit=6, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=84, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:11:32.675, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654582260_51832', total_run_time=4.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654582265, api_et=1654578660.000000000, api_lt=1654582260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654578660.000000000, search_lt=1654582267.450375000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2942", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dd32320340a49b31", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=58, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=56, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 06:08:51.924, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654582020_51770', total_run_time=23.39, event_count=1173, result_count=55, available_count=0, scan_count=380891, drop_count=0, exec_time=1654582085, api_et=1654578420.000000000, api_lt=1654582020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654578420.000000000, search_lt=1654582086.994140000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2935", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=197, considered_events=386288, total_slices=604379, decompressed_slices=111560, duration.command.search.index=4504, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41888, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=307823, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=34892, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 06:07:51.989, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654582020_51759', total_run_time=6.67, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654582046, api_et=1654578420.000000000, api_lt=1654582020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654578420.000000000, search_lt=1654582047.997025000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_cdd3b9797233a714", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=418, eliminated_buckets=197, considered_events=2, total_slices=15646, decompressed_slices=1, duration.command.search.index=1064, invocations.command.search.index.bucketcache.hit=417, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=357, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:44:10.906, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654580580_51266', total_run_time=28.90, event_count=0, result_count=0, available_count=0, scan_count=3474, drop_count=0, exec_time=1654580618, api_et=1654576980.000000000, api_lt=1654580580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576980.000000000, search_lt=1654580620.681099000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2987", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_daaf79861b7e89da", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=114, eliminated_buckets=0, considered_events=3474, total_slices=532200, decompressed_slices=901, duration.command.search.index=1202, invocations.command.search.index.bucketcache.hit=114, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4663, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:34:20.804, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654579980_51050', total_run_time=42.12, event_count=0, result_count=0, available_count=0, scan_count=40193757, drop_count=0, exec_time=1654580006, api_et=1654576380.000000000, api_lt=1654579980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654576380.000000000, search_lt=1654580008.421464000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fe0d0e8d6591b4aa", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2318, eliminated_buckets=131, considered_events=40193757, total_slices=13115738, decompressed_slices=3711860, duration.command.search.index=14170, invocations.command.search.index.bucketcache.hit=2314, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214334, invocations.command.search.rawdata.bucketcache.hit=213, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:16:38.892, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654578960_50687', total_run_time=12.51, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654578976, api_et=1654574760.000000000, api_lt=1654578360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575360.000000000, search_lt=1654578978.328156000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3630", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bc1b85e2f27162db", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1124, eliminated_buckets=408, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1146, invocations.command.search.index.bucketcache.hit=1124, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:16:38.117, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654578840_50646', total_run_time=21.26, event_count=0, result_count=0, available_count=0, scan_count=11594, drop_count=0, exec_time=1654578863, api_et=1654575240.000000000, api_lt=1654578840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575240.000000000, search_lt=1654578865.483549000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="3061", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=286, considered_events=11595, total_slices=657214, decompressed_slices=3073, duration.command.search.index=1496, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=11658, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=38, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=139, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=406, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=100, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=110, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=9, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 05:11:27.269, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654578660_50580', total_run_time=6.18, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654578664, api_et=1654575060.000000000, api_lt=1654578660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654575060.000000000, search_lt=1654578666.679607000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2868", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_99e98caeca07312f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=57, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=55, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:10:35.845, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654578540_50536', total_run_time=45.11, event_count=0, result_count=0, available_count=0, scan_count=4925554, drop_count=0, exec_time=1654578545, api_et=1654574340.000000000, api_lt=1654577940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574340.000000000, search_lt=1654577940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3147", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ad37561d1e4da97f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=771, eliminated_buckets=381, considered_events=4925554, total_slices=950440, decompressed_slices=216998, duration.command.search.index=3126, invocations.command.search.index.bucketcache.hit=771, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66293, invocations.command.search.rawdata.bucketcache.hit=9, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=111, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:08:55.163, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654578420_50518', total_run_time=43.47, event_count=1131, result_count=56, available_count=0, scan_count=356070, drop_count=0, exec_time=1654578480, api_et=1654574820.000000000, api_lt=1654578420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574820.000000000, search_lt=1654578482.506844000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3016", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=197, considered_events=363219, total_slices=715273, decompressed_slices=105499, duration.command.search.index=13712, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=148478, invocations.command.search.rawdata.bucketcache.hit=7, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=5, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=286244, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36377, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 05:07:55.330, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654578420_50512', total_run_time=21.10, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654578447, api_et=1654574820.000000000, api_lt=1654578420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654574820.000000000, search_lt=1654578448.730011000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2752", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_fada89ab5e3b2e66", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2978, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 05:01:15.489, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577940_50304', total_run_time=27.43, event_count=0, result_count=0, available_count=0, scan_count=22004205, drop_count=0, exec_time=1654577990, api_et=1654563540.000000000, api_lt=1654577940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563540.000000000, search_lt=1654577940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2745", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=128, eliminated_buckets=0, considered_events=22004205, total_slices=1229280, decompressed_slices=379215, duration.command.search.index=7421, invocations.command.search.index.bucketcache.hit=128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62588, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11345696, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:59:25.609, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577880_50291', total_run_time=16.39, event_count=0, result_count=0, available_count=0, scan_count=22015383, drop_count=0, exec_time=1654577930, api_et=1654563480.000000000, api_lt=1654577880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563480.000000000, search_lt=1654577880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3113", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22015383, total_slices=1254170, decompressed_slices=379430, duration.command.search.index=7254, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62174, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11346232, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:58:25.738, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577820_50275', total_run_time=20.92, event_count=0, result_count=0, available_count=0, scan_count=22025474, drop_count=0, exec_time=1654577870, api_et=1654563420.000000000, api_lt=1654577820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563420.000000000, search_lt=1654577820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2814", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22025474, total_slices=1252441, decompressed_slices=379591, duration.command.search.index=7423, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61450, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11346391, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:57:25.719, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577760_50258', total_run_time=16.75, event_count=0, result_count=0, available_count=0, scan_count=22035214, drop_count=0, exec_time=1654577809, api_et=1654563360.000000000, api_lt=1654577760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563360.000000000, search_lt=1654577760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2795", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22035214, total_slices=1250934, decompressed_slices=379759, duration.command.search.index=7558, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59458, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11347422, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:56:25.715, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577700_50247', total_run_time=16.47, event_count=0, result_count=0, available_count=0, scan_count=22043564, drop_count=0, exec_time=1654577749, api_et=1654563300.000000000, api_lt=1654577700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563300.000000000, search_lt=1654577700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2665", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22043564, total_slices=1249354, decompressed_slices=379911, duration.command.search.index=7329, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59683, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11348530, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:55:25.526, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577640_50232', total_run_time=18.65, event_count=0, result_count=0, available_count=0, scan_count=22050241, drop_count=0, exec_time=1654577690, api_et=1654563240.000000000, api_lt=1654577640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563240.000000000, search_lt=1654577640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2747", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22050241, total_slices=1247663, decompressed_slices=380062, duration.command.search.index=7469, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59286, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11347895, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:54:25.655, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577580_50215', total_run_time=19.88, event_count=0, result_count=0, available_count=0, scan_count=22057737, drop_count=0, exec_time=1654577630, api_et=1654563180.000000000, api_lt=1654577580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563180.000000000, search_lt=1654577580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3174", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=129, eliminated_buckets=0, considered_events=22057737, total_slices=1246034, decompressed_slices=380222, duration.command.search.index=7712, invocations.command.search.index.bucketcache.hit=129, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59256, invocations.command.search.rawdata.bucketcache.hit=19, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11348202, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:53:25.667, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577520_50191', total_run_time=23.74, event_count=0, result_count=0, available_count=0, scan_count=22070549, drop_count=0, exec_time=1654577569, api_et=1654563120.000000000, api_lt=1654577520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563120.000000000, search_lt=1654577520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2675", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22070549, total_slices=1270879, decompressed_slices=380414, duration.command.search.index=7858, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62177, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11349228, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:52:26.117, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577400_50149', total_run_time=24.13, event_count=0, result_count=0, available_count=0, scan_count=22089119, drop_count=0, exec_time=1654577449, api_et=1654563000.000000000, api_lt=1654577400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563000.000000000, search_lt=1654577400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2996", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22089119, total_slices=1267681, decompressed_slices=380762, duration.command.search.index=8366, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=62707, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11351796, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:52:23.910, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577460_50174', total_run_time=19.66, event_count=0, result_count=0, available_count=0, scan_count=22080641, drop_count=0, exec_time=1654577509, api_et=1654563060.000000000, api_lt=1654577460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563060.000000000, search_lt=1654577460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2641", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22080641, total_slices=1269332, decompressed_slices=380614, duration.command.search.index=8568, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=59181, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11350314, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:52:22.963, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577340_50113', total_run_time=28.70, event_count=0, result_count=0, available_count=0, scan_count=22099324, drop_count=0, exec_time=1654577391, api_et=1654562940.000000000, api_lt=1654577340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562940.000000000, search_lt=1654577340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3131", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22099324, total_slices=1266098, decompressed_slices=380997, duration.command.search.index=8394, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68361, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11351159, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:49:22.147, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577280_50092', total_run_time=22.14, event_count=0, result_count=0, available_count=0, scan_count=22110044, drop_count=0, exec_time=1654577330, api_et=1654562880.000000000, api_lt=1654577280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562880.000000000, search_lt=1654577280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3049", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22110044, total_slices=1290575, decompressed_slices=381222, duration.command.search.index=8750, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64261, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11352867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:48:23.340, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577220_50075', total_run_time=21.49, event_count=0, result_count=0, available_count=0, scan_count=22120530, drop_count=0, exec_time=1654577270, api_et=1654562820.000000000, api_lt=1654577220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562820.000000000, search_lt=1654577220.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3065", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22120530, total_slices=1289066, decompressed_slices=381424, duration.command.search.index=8307, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60570, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11354180, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:47:46.721, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577160_50054', total_run_time=21.28, event_count=0, result_count=0, available_count=0, scan_count=22127739, drop_count=0, exec_time=1654577210, api_et=1654562760.000000000, api_lt=1654577160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562760.000000000, search_lt=1654577160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2991", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22127739, total_slices=1287517, decompressed_slices=381709, duration.command.search.index=7956, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=60686, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11353673, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:47:44.064, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577100_50036', total_run_time=22.18, event_count=0, result_count=0, available_count=0, scan_count=22133110, drop_count=0, exec_time=1654577151, api_et=1654562700.000000000, api_lt=1654577100.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562700.000000000, search_lt=1654577100.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2966", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22133110, total_slices=1285880, decompressed_slices=381741, duration.command.search.index=8053, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=63044, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11354736, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:47:41.151, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654577040_50013', total_run_time=23.80, event_count=0, result_count=0, available_count=0, scan_count=22141416, drop_count=0, exec_time=1654577089, api_et=1654562640.000000000, api_lt=1654577040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562640.000000000, search_lt=1654577040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2682", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22141416, total_slices=1284264, decompressed_slices=381979, duration.command.search.index=8404, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65894, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11355664, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:44:45.164, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576980_49992', total_run_time=26.69, event_count=0, result_count=0, available_count=0, scan_count=22151315, drop_count=0, exec_time=1654577029, api_et=1654562580.000000000, api_lt=1654576980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562580.000000000, search_lt=1654576980.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3226", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22151315, total_slices=1282649, decompressed_slices=382247, duration.command.search.index=8316, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64373, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11355482, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:44:15.101, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654576980_49989', total_run_time=35.94, event_count=0, result_count=0, available_count=0, scan_count=3142, drop_count=0, exec_time=1654577018, api_et=1654573380.000000000, api_lt=1654576980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654573380.000000000, search_lt=1654577020.700646000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2930", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b097363bce78971f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=111, eliminated_buckets=0, considered_events=3142, total_slices=582728, decompressed_slices=866, duration.command.search.index=1612, invocations.command.search.index.bucketcache.hit=111, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5214, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:43:41.911, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576860_49942', total_run_time=34.48, event_count=0, result_count=0, available_count=0, scan_count=22179655, drop_count=0, exec_time=1654576909, api_et=1654562460.000000000, api_lt=1654576860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562460.000000000, search_lt=1654576860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22179655, total_slices=1279594, decompressed_slices=382706, duration.command.search.index=9823, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70527, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11357826, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:43:41.716, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576920_49965', total_run_time=32.84, event_count=0, result_count=0, available_count=0, scan_count=22167058, drop_count=0, exec_time=1654576969, api_et=1654562520.000000000, api_lt=1654576920.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562520.000000000, search_lt=1654576920.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2841", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22167058, total_slices=1281090, decompressed_slices=382511, duration.command.search.index=9166, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69963, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11357904, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:41:45.571, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576800_49916', total_run_time=40.98, event_count=0, result_count=0, available_count=0, scan_count=22188291, drop_count=0, exec_time=1654576849, api_et=1654562400.000000000, api_lt=1654576800.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562400.000000000, search_lt=1654576800.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2866", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22188291, total_slices=1278095, decompressed_slices=382821, duration.command.search.index=10314, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77409, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11358169, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:44.873, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576740_49881', total_run_time=36.10, event_count=0, result_count=0, available_count=0, scan_count=22196310, drop_count=0, exec_time=1654576790, api_et=1654562340.000000000, api_lt=1654576740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562340.000000000, search_lt=1654576740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=130, eliminated_buckets=0, considered_events=22196310, total_slices=1276408, decompressed_slices=382949, duration.command.search.index=8999, invocations.command.search.index.bucketcache.hit=130, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69102, invocations.command.search.rawdata.bucketcache.hit=20, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11357835, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:14.902, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576440_49803', total_run_time=31.34, event_count=0, result_count=0, available_count=0, scan_count=22244500, drop_count=0, exec_time=1654576490, api_et=1654562040.000000000, api_lt=1654576440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562040.000000000, search_lt=1654576440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22244500, total_slices=1294499, decompressed_slices=383659, duration.command.search.index=9074, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69634, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11359799, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:14.807, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576500_49825', total_run_time=29.65, event_count=0, result_count=0, available_count=0, scan_count=22236018, drop_count=0, exec_time=1654576550, api_et=1654562100.000000000, api_lt=1654576500.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562100.000000000, search_lt=1654576500.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2649", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22236018, total_slices=1296116, decompressed_slices=383575, duration.command.search.index=8632, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68552, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11359210, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:13.732, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576560_49835', total_run_time=22.87, event_count=0, result_count=0, available_count=0, scan_count=22227562, drop_count=0, exec_time=1654576610, api_et=1654562160.000000000, api_lt=1654576560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562160.000000000, search_lt=1654576560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2672", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22227562, total_slices=1297737, decompressed_slices=383428, duration.command.search.index=8806, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64259, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11358592, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:12.251, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576620_49850', total_run_time=23.80, event_count=0, result_count=0, available_count=0, scan_count=22218688, drop_count=0, exec_time=1654576670, api_et=1654562220.000000000, api_lt=1654576620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562220.000000000, search_lt=1654576620.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2580", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22218688, total_slices=1299354, decompressed_slices=383307, duration.command.search.index=8287, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64483, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11359110, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:40:11.751, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576680_49865', total_run_time=25.28, event_count=0, result_count=0, available_count=0, scan_count=22206161, drop_count=0, exec_time=1654576729, api_et=1654562280.000000000, api_lt=1654576680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562280.000000000, search_lt=1654576680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2602", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22206161, total_slices=1300970, decompressed_slices=383092, duration.command.search.index=8693, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=64796, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11358040, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:34:42.618, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576380_49767', total_run_time=46.02, event_count=0, result_count=0, available_count=0, scan_count=22264905, drop_count=0, exec_time=1654576429, api_et=1654561980.000000000, api_lt=1654576380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561980.000000000, search_lt=1654576380.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2773", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22264905, total_slices=1292919, decompressed_slices=383943, duration.command.search.index=10498, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81941, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11360492, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:34:12.326, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654576380_49753', total_run_time=36.15, event_count=0, result_count=0, available_count=0, scan_count=40340831, drop_count=0, exec_time=1654576405, api_et=1654572780.000000000, api_lt=1654576380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654572780.000000000, search_lt=1654576407.242845000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8fe38466ac2b24b4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2344, eliminated_buckets=131, considered_events=40340831, total_slices=13281960, decompressed_slices=3704921, duration.command.search.index=13989, invocations.command.search.index.bucketcache.hit=2340, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214752, invocations.command.search.rawdata.bucketcache.hit=242, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:33:42.206, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576320_49731', total_run_time=44.12, event_count=0, result_count=0, available_count=0, scan_count=22293415, drop_count=0, exec_time=1654576369, api_et=1654561920.000000000, api_lt=1654576320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561920.000000000, search_lt=1654576320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3071", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22293415, total_slices=1291198, decompressed_slices=384327, duration.command.search.index=10933, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91527, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11362729, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:32:42.305, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576260_49702', total_run_time=41.96, event_count=0, result_count=0, available_count=0, scan_count=22319997, drop_count=0, exec_time=1654576310, api_et=1654561860.000000000, api_lt=1654576260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561860.000000000, search_lt=1654576260.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3280", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22319997, total_slices=1289673, decompressed_slices=384672, duration.command.search.index=11224, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=88909, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11362774, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:31:44.189, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576200_49673', total_run_time=43.53, event_count=0, result_count=0, available_count=0, scan_count=22343311, drop_count=0, exec_time=1654576250, api_et=1654561800.000000000, api_lt=1654576200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561800.000000000, search_lt=1654576200.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2888", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=131, eliminated_buckets=0, considered_events=22343311, total_slices=1288362, decompressed_slices=384907, duration.command.search.index=13752, invocations.command.search.index.bucketcache.hit=131, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=115780, invocations.command.search.rawdata.bucketcache.hit=21, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11362852, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:30:42.111, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576140_49629', total_run_time=40.79, event_count=0, result_count=0, available_count=0, scan_count=22366299, drop_count=0, exec_time=1654576190, api_et=1654561740.000000000, api_lt=1654576140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561740.000000000, search_lt=1654576140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2766", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22366299, total_slices=1312959, decompressed_slices=385134, duration.command.search.index=9179, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=79442, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11361503, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:29:42.288, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576080_49616', total_run_time=23.71, event_count=0, result_count=0, available_count=0, scan_count=22393211, drop_count=0, exec_time=1654576130, api_et=1654561680.000000000, api_lt=1654576080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561680.000000000, search_lt=1654576080.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2725", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=132, eliminated_buckets=0, considered_events=22393211, total_slices=1311307, decompressed_slices=385458, duration.command.search.index=8795, invocations.command.search.index.bucketcache.hit=132, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65039, invocations.command.search.rawdata.bucketcache.hit=22, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11360607, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:28:42.029, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654576020_49602', total_run_time=27.80, event_count=0, result_count=0, available_count=0, scan_count=22421317, drop_count=0, exec_time=1654576069, api_et=1654561620.000000000, api_lt=1654576020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561620.000000000, search_lt=1654576020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2906", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22421317, total_slices=1336048, decompressed_slices=385851, duration.command.search.index=9355, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70405, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11362144, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:27:42.211, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575960_49584', total_run_time=23.76, event_count=0, result_count=0, available_count=0, scan_count=22446298, drop_count=0, exec_time=1654576009, api_et=1654561560.000000000, api_lt=1654575960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561560.000000000, search_lt=1654575960.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2673", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22446298, total_slices=1334568, decompressed_slices=386218, duration.command.search.index=9401, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70506, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11363035, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:26:42.258, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575900_49568', total_run_time=23.38, event_count=0, result_count=0, available_count=0, scan_count=22469711, drop_count=0, exec_time=1654575950, api_et=1654561500.000000000, api_lt=1654575900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561500.000000000, search_lt=1654575900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2650", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22469711, total_slices=1333011, decompressed_slices=386471, duration.command.search.index=8505, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=67172, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11364767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:25:42.375, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575840_49554', total_run_time=24.80, event_count=0, result_count=0, available_count=0, scan_count=22492429, drop_count=0, exec_time=1654575890, api_et=1654561440.000000000, api_lt=1654575840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561440.000000000, search_lt=1654575840.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2856", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22492429, total_slices=1331278, decompressed_slices=386716, duration.command.search.index=9294, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66969, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11364302, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:24:42.264, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575780_49535', total_run_time=26.55, event_count=0, result_count=0, available_count=0, scan_count=22519026, drop_count=0, exec_time=1654575829, api_et=1654561380.000000000, api_lt=1654575780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561380.000000000, search_lt=1654575780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22519026, total_slices=1329713, decompressed_slices=387114, duration.command.search.index=9092, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=66576, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11365566, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:23:42.119, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575720_49503', total_run_time=29.94, event_count=0, result_count=0, available_count=0, scan_count=22545699, drop_count=0, exec_time=1654575770, api_et=1654561320.000000000, api_lt=1654575720.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561320.000000000, search_lt=1654575720.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=133, eliminated_buckets=0, considered_events=22545699, total_slices=1328234, decompressed_slices=387378, duration.command.search.index=9603, invocations.command.search.index.bucketcache.hit=133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74346, invocations.command.search.rawdata.bucketcache.hit=23, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11368690, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:22:41.987, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575660_49487', total_run_time=28.75, event_count=0, result_count=0, available_count=0, scan_count=22572080, drop_count=0, exec_time=1654575710, api_et=1654561260.000000000, api_lt=1654575660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561260.000000000, search_lt=1654575660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=134, eliminated_buckets=0, considered_events=22572080, total_slices=1353118, decompressed_slices=387664, duration.command.search.index=9641, invocations.command.search.index.bucketcache.hit=134, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70715, invocations.command.search.rawdata.bucketcache.hit=24, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11371539, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:22:13.256, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575600_49458', total_run_time=51.03, event_count=0, result_count=0, available_count=0, scan_count=22594739, drop_count=0, exec_time=1654575651, api_et=1654561200.000000000, api_lt=1654575600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561200.000000000, search_lt=1654575600.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3073", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22594739, total_slices=1378152, decompressed_slices=387886, duration.command.search.index=11084, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84916, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11374145, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:20:42.503, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575540_49420', total_run_time=28.47, event_count=0, result_count=0, available_count=0, scan_count=22617931, drop_count=0, exec_time=1654575590, api_et=1654561140.000000000, api_lt=1654575540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561140.000000000, search_lt=1654575540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2953", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22617931, total_slices=1376404, decompressed_slices=388180, duration.command.search.index=9790, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=70919, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375855, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:19:42.583, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575480_49395', total_run_time=31.59, event_count=0, result_count=0, available_count=0, scan_count=22641438, drop_count=0, exec_time=1654575530, api_et=1654561080.000000000, api_lt=1654575480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561080.000000000, search_lt=1654575480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3172", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22641438, total_slices=1374919, decompressed_slices=388444, duration.command.search.index=10366, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=84190, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11375789, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:18:42.429, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575420_49375', total_run_time=34.13, event_count=0, result_count=0, available_count=0, scan_count=22666824, drop_count=0, exec_time=1654575470, api_et=1654561020.000000000, api_lt=1654575420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561020.000000000, search_lt=1654575420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3334", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22666824, total_slices=1373288, decompressed_slices=388660, duration.command.search.index=10729, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82475, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11377288, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:17:43.512, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575360_49352', total_run_time=38.76, event_count=0, result_count=0, available_count=0, scan_count=22692601, drop_count=0, exec_time=1654575410, api_et=1654560960.000000000, api_lt=1654575360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560960.000000000, search_lt=1654575360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="4168", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22692601, total_slices=1371725, decompressed_slices=389009, duration.command.search.index=10456, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82234, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378762, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:16:47.080, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575300_49334', total_run_time=32.67, event_count=0, result_count=0, available_count=0, scan_count=22717711, drop_count=0, exec_time=1654575350, api_et=1654560900.000000000, api_lt=1654575300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560900.000000000, search_lt=1654575300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22717711, total_slices=1370145, decompressed_slices=389271, duration.command.search.index=10291, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=80534, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11381867, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:16:46.310, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654575360_49346', total_run_time=8.45, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654575375, api_et=1654571160.000000000, api_lt=1654574760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654571760.000000000, search_lt=1654575377.719583000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3446", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9f592ef338a40a45", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1128, eliminated_buckets=407, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=703, invocations.command.search.index.bucketcache.hit=1128, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:15:12.255, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575240_49315', total_run_time=19.77, event_count=0, result_count=0, available_count=0, scan_count=22735824, drop_count=0, exec_time=1654575289, api_et=1654560840.000000000, api_lt=1654575240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560840.000000000, search_lt=1654575240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2764", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22735824, total_slices=1367331, decompressed_slices=389339, duration.command.search.index=7933, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65911, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11378862, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:14:42.067, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654575240_49302', total_run_time=6.16, event_count=0, result_count=0, available_count=0, scan_count=12522, drop_count=0, exec_time=1654575263, api_et=1654571640.000000000, api_lt=1654575240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654571640.000000000, search_lt=1654575265.349684000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2859", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=283, considered_events=12522, total_slices=580962, decompressed_slices=2471, duration.command.search.index=1014, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5813, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=48, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=93, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=256, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=70, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=2, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=124, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=6, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 04:14:41.998, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575180_49292', total_run_time=25.27, event_count=0, result_count=0, available_count=0, scan_count=22769066, drop_count=0, exec_time=1654575229, api_et=1654560780.000000000, api_lt=1654575180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560780.000000000, search_lt=1654575180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2749", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22769066, total_slices=1366786, decompressed_slices=389778, duration.command.search.index=8084, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65802, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11387021, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:13:42.217, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575120_49265', total_run_time=33.28, event_count=0, result_count=0, available_count=0, scan_count=22794045, drop_count=0, exec_time=1654575169, api_et=1654560720.000000000, api_lt=1654575120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560720.000000000, search_lt=1654575120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2659", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22794045, total_slices=1365156, decompressed_slices=390030, duration.command.search.index=8958, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74730, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11389382, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:12:42.242, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575060_49247', total_run_time=27.59, event_count=0, result_count=0, available_count=0, scan_count=22821161, drop_count=0, exec_time=1654575110, api_et=1654560660.000000000, api_lt=1654575060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560660.000000000, search_lt=1654575060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3197", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22821161, total_slices=1363849, decompressed_slices=390305, duration.command.search.index=8352, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=69264, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11391061, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:11:42.115, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654575000_49220', total_run_time=38.10, event_count=0, result_count=0, available_count=0, scan_count=22847430, drop_count=0, exec_time=1654575049, api_et=1654560600.000000000, api_lt=1654575000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560600.000000000, search_lt=1654575000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3131", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22847430, total_slices=1362078, decompressed_slices=390556, duration.command.search.index=9737, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76725, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11392833, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:11:12.153, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654575060_49229', total_run_time=5.08, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654575064, api_et=1654571460.000000000, api_lt=1654575060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654571460.000000000, search_lt=1654575066.582979000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2833", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_e642bbb91113bf94", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=54, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:10:42.066, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574940_49188', total_run_time=36.73, event_count=0, result_count=0, available_count=0, scan_count=22871315, drop_count=0, exec_time=1654574989, api_et=1654560540.000000000, api_lt=1654574940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560540.000000000, search_lt=1654574940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2651", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=135, eliminated_buckets=0, considered_events=22871315, total_slices=1360438, decompressed_slices=390797, duration.command.search.index=8607, invocations.command.search.index.bucketcache.hit=135, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72847, invocations.command.search.rawdata.bucketcache.hit=25, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11394197, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:09:42.288, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574880_49172', total_run_time=23.54, event_count=0, result_count=0, available_count=0, scan_count=22895084, drop_count=0, exec_time=1654574929, api_et=1654560480.000000000, api_lt=1654574880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560480.000000000, search_lt=1654574880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2692", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=22895084, total_slices=1384669, decompressed_slices=390974, duration.command.search.index=8694, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68423, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11393580, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:09:42.282, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654574940_49180', total_run_time=18.17, event_count=0, result_count=0, available_count=0, scan_count=5052366, drop_count=0, exec_time=1654574949, api_et=1654570740.000000000, api_lt=1654574340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654570740.000000000, search_lt=1654574340.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3096", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_57b271fa9dead634", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=379, considered_events=5052366, total_slices=1107384, decompressed_slices=218253, duration.command.search.index=2027, invocations.command.search.index.bucketcache.hit=772, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36817, invocations.command.search.rawdata.bucketcache.hit=14, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=59, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:08:42.252, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574820_49156', total_run_time=27.80, event_count=0, result_count=0, available_count=0, scan_count=22926722, drop_count=0, exec_time=1654574869, api_et=1654560420.000000000, api_lt=1654574820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560420.000000000, search_lt=1654574820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2644", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=22926722, total_slices=1383080, decompressed_slices=391335, duration.command.search.index=9372, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=72023, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11396531, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:08:41.983, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654574820_49159', total_run_time=17.63, event_count=1168, result_count=55, available_count=0, scan_count=371485, drop_count=0, exec_time=1654574880, api_et=1654571220.000000000, api_lt=1654574820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654571220.000000000, search_lt=1654574882.514470000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3031", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=197, considered_events=376242, total_slices=722636, decompressed_slices=112308, duration.command.search.index=3732, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34626, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=4, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=300545, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=36023, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 04:07:42.300, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574760_49136', total_run_time=29.55, event_count=0, result_count=0, available_count=0, scan_count=22955264, drop_count=0, exec_time=1654574810, api_et=1654560360.000000000, api_lt=1654574760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560360.000000000, search_lt=1654574760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2837", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=22955264, total_slices=1381476, decompressed_slices=391591, duration.command.search.index=9335, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=76016, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11399177, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:07:41.979, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654574820_49151', total_run_time=8.32, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654574846, api_et=1654571220.000000000, api_lt=1654574820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654571220.000000000, search_lt=1654574848.592281000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2876", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f5cd6a10036a4aae", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=409, eliminated_buckets=197, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=846, invocations.command.search.index.bucketcache.hit=409, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 04:06:42.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574700_49121', total_run_time=40.52, event_count=0, result_count=0, available_count=0, scan_count=22980565, drop_count=0, exec_time=1654574750, api_et=1654560300.000000000, api_lt=1654574700.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560300.000000000, search_lt=1654574700.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2776", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=22980565, total_slices=1379931, decompressed_slices=391848, duration.command.search.index=10345, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81362, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11401773, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:05:42.218, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574640_49103', total_run_time=36.84, event_count=0, result_count=0, available_count=0, scan_count=23011483, drop_count=0, exec_time=1654574690, api_et=1654560240.000000000, api_lt=1654574640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560240.000000000, search_lt=1654574640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2718", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=136, eliminated_buckets=0, considered_events=23011483, total_slices=1378280, decompressed_slices=392168, duration.command.search.index=13412, invocations.command.search.index.bucketcache.hit=136, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=106848, invocations.command.search.rawdata.bucketcache.hit=26, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11405776, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:04:42.197, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574580_49061', total_run_time=47.94, event_count=0, result_count=0, available_count=0, scan_count=23039874, drop_count=0, exec_time=1654574629, api_et=1654560180.000000000, api_lt=1654574580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560180.000000000, search_lt=1654574580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23039874, total_slices=1402617, decompressed_slices=392496, duration.command.search.index=13197, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=139033, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11408408, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:03:42.672, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574520_49014', total_run_time=36.18, event_count=0, result_count=0, available_count=0, scan_count=23069196, drop_count=0, exec_time=1654574570, api_et=1654560120.000000000, api_lt=1654574520.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560120.000000000, search_lt=1654574520.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2696", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23069196, total_slices=1401154, decompressed_slices=392853, duration.command.search.index=11416, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95844, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11411347, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:02:43.457, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574460_48983', total_run_time=29.56, event_count=0, result_count=0, available_count=0, scan_count=23094680, drop_count=0, exec_time=1654574509, api_et=1654560060.000000000, api_lt=1654574460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560060.000000000, search_lt=1654574460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2772", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23094680, total_slices=1399472, decompressed_slices=393250, duration.command.search.index=11077, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=93181, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11410637, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 04:01:42.214, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654574400_48952', total_run_time=41.10, event_count=0, result_count=0, available_count=0, scan_count=23110703, drop_count=0, exec_time=1654574450, api_et=1654560000.000000000, api_lt=1654574400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560000.000000000, search_lt=1654574400.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2790", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=23110703, total_slices=1397819, decompressed_slices=393329, duration.command.search.index=13640, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116889, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=11403677, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 03:44:21.727, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654573380_48627', total_run_time=30.31, event_count=0, result_count=0, available_count=0, scan_count=3121, drop_count=0, exec_time=1654573418, api_et=1654569780.000000000, api_lt=1654573380.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654569780.000000000, search_lt=1654573420.423840000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3015", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a9edff3acff90d2c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=113, eliminated_buckets=0, considered_events=3121, total_slices=472004, decompressed_slices=819, duration.command.search.index=1150, invocations.command.search.index.bucketcache.hit=113, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4954, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 03:34:26.052, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654572780_48406', total_run_time=42.15, event_count=0, result_count=0, available_count=0, scan_count=40597662, drop_count=0, exec_time=1654572806, api_et=1654569180.000000000, api_lt=1654572780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654569180.000000000, search_lt=1654572808.631414000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3887", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dfa774cede305571", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2294, eliminated_buckets=106, considered_events=40597662, total_slices=13177099, decompressed_slices=3721987, duration.command.search.index=14133, invocations.command.search.index.bucketcache.hit=2289, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=222668, invocations.command.search.rawdata.bucketcache.hit=220, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 03:16:45.141, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654571760_48034', total_run_time=10.60, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654571770, api_et=1654567560.000000000, api_lt=1654571160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654568160.000000000, search_lt=1654571772.778449000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3708", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9dc5aa905383f5b7", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1123, eliminated_buckets=406, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=781, invocations.command.search.index.bucketcache.hit=1123, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 03:14:45.226, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654571640_47993', total_run_time=8.18, event_count=0, result_count=0, available_count=0, scan_count=12308, drop_count=0, exec_time=1654571663, api_et=1654568040.000000000, api_lt=1654571640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654568040.000000000, search_lt=1654571665.325123000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2771", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=282, considered_events=12308, total_slices=508762, decompressed_slices=3364, duration.command.search.index=1116, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6073, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=58, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=294, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=643, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=149, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=14, sourcetype_count__crowdstrike:falcon:fdr:PdfFileWritten=1, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=363, sourcetype_count__crowdstrike:falcon:fdr:SevenZipFileWritten=4, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=3, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 03:11:14.975, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654571340_47880', total_run_time=22.10, event_count=0, result_count=0, available_count=0, scan_count=4740908, drop_count=0, exec_time=1654571345, api_et=1654567140.000000000, api_lt=1654570740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654567140.000000000, search_lt=1654570740.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3149", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_6e0c31838a29916f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=769, eliminated_buckets=375, considered_events=4740908, total_slices=1163730, decompressed_slices=213040, duration.command.search.index=2128, invocations.command.search.index.bucketcache.hit=767, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35786, invocations.command.search.rawdata.bucketcache.hit=16, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=68, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 03:11:12.656, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654571460_47928', total_run_time=5.44, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654571466, api_et=1654567860.000000000, api_lt=1654571460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654567860.000000000, search_lt=1654571468.555039000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2937", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b9be9e375c2b05e4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=59, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=45, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 03:08:55.145, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654571220_47867', total_run_time=19.42, event_count=1223, result_count=58, available_count=0, scan_count=406765, drop_count=0, exec_time=1654571285, api_et=1654567620.000000000, api_lt=1654571220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654567620.000000000, search_lt=1654571287.545118000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2922", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=197, considered_events=412526, total_slices=653635, decompressed_slices=114417, duration.command.search.index=4003, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35045, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=324555, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38281, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 03:07:55.465, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654571220_47856', total_run_time=7.14, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1654571247, api_et=1654567620.000000000, api_lt=1654571220.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654567620.000000000, search_lt=1654571248.906699000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2778", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_d87852e9a652854f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=406, eliminated_buckets=197, considered_events=2, total_slices=21570, decompressed_slices=2, duration.command.search.index=898, invocations.command.search.index.bucketcache.hit=406, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=265, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:44:28.238, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654569780_47343', total_run_time=39.16, event_count=0, result_count=0, available_count=0, scan_count=3446, drop_count=0, exec_time=1654569818, api_et=1654566180.000000000, api_lt=1654569780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654566180.000000000, search_lt=1654569820.033587000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_254ee6b7109ed90f", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=119, eliminated_buckets=0, considered_events=3446, total_slices=666750, decompressed_slices=969, duration.command.search.index=1239, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=4963, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:34:29.260, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654569180_47122', total_run_time=36.09, event_count=0, result_count=0, available_count=0, scan_count=40261144, drop_count=0, exec_time=1654569205, api_et=1654565580.000000000, api_lt=1654569180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654565580.000000000, search_lt=1654569207.291951000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4037", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a9a5c31c88790bca", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2315, eliminated_buckets=106, considered_events=40261144, total_slices=13337021, decompressed_slices=3726664, duration.command.search.index=14700, invocations.command.search.index.bucketcache.hit=2305, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=214337, invocations.command.search.rawdata.bucketcache.hit=233, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:16:21.601, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654568160_46749', total_run_time=9.19, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654568171, api_et=1654563960.000000000, api_lt=1654567560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654564560.000000000, search_lt=1654568173.047994000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="4007", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_b05cf1a329f351ad", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1127, eliminated_buckets=406, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=727, invocations.command.search.index.bucketcache.hit=1127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:15:50.116, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654568040_46709', total_run_time=12.77, event_count=0, result_count=0, available_count=0, scan_count=13977, drop_count=0, exec_time=1654568063, api_et=1654564440.000000000, api_lt=1654568040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654564440.000000000, search_lt=1654568065.670336000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2915", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=405, eliminated_buckets=280, considered_events=14296, total_slices=425993, decompressed_slices=3311, duration.command.search.index=1259, invocations.command.search.index.bucketcache.hit=405, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6764, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=52, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=193, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=573, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=113, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=7, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=236, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=14, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 02:11:24.446, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654567860_46642', total_run_time=5.28, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654567864, api_et=1654564260.000000000, api_lt=1654567860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654564260.000000000, search_lt=1654567866.369770000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2757", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_9a83d48cd9824445", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=62, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=49, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:10:14.501, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654567740_46598', total_run_time=39.44, event_count=0, result_count=0, available_count=0, scan_count=3756745, drop_count=0, exec_time=1654567745, api_et=1654563540.000000000, api_lt=1654567140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654563540.000000000, search_lt=1654567140.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3274", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_ded316edc2ed80c4", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=770, eliminated_buckets=379, considered_events=3756745, total_slices=1149302, decompressed_slices=186197, duration.command.search.index=1948, invocations.command.search.index.bucketcache.hit=767, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=34893, invocations.command.search.rawdata.bucketcache.hit=11, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=79, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 02:08:54.337, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654567620_46579', total_run_time=30.73, event_count=1872, result_count=98, available_count=0, scan_count=448453, drop_count=0, exec_time=1654567680, api_et=1654564020.000000000, api_lt=1654567620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654564020.000000000, search_lt=1654567682.671621000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2943", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=198, considered_events=456784, total_slices=575314, decompressed_slices=111004, duration.command.search.index=4771, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=42863, invocations.command.search.rawdata.bucketcache.hit=1, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=3, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=361961, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=43464, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 02:07:54.852, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654567620_46574', total_run_time=11.09, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654567646, api_et=1654564020.000000000, api_lt=1654567620.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654564020.000000000, search_lt=1654567648.366190000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2827", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2cccfa336297314e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=407, eliminated_buckets=198, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1237, invocations.command.search.index.bucketcache.hit=407, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:46:20.618, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654566180_46078', total_run_time=65.66, event_count=0, result_count=0, available_count=0, scan_count=2875, drop_count=0, exec_time=1654566218, api_et=1654562580.000000000, api_lt=1654566180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654562580.000000000, search_lt=1654566220.012752000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="2648", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a61aba8afd6ab1fd", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=118, eliminated_buckets=0, considered_events=2875, total_slices=820314, decompressed_slices=917, duration.command.search.index=1522, invocations.command.search.index.bucketcache.hit=118, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=5421, invocations.command.search.rawdata.bucketcache.hit=4, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:34:26.208, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654565580_45858', total_run_time=37.67, event_count=0, result_count=0, available_count=0, scan_count=40356112, drop_count=0, exec_time=1654565605, api_et=1654561980.000000000, api_lt=1654565580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654561980.000000000, search_lt=1654565607.267549000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3324", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_8bdfcfcccbe267f3", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2296, eliminated_buckets=106, considered_events=40356112, total_slices=13197792, decompressed_slices=3730634, duration.command.search.index=14288, invocations.command.search.index.bucketcache.hit=2288, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=216101, invocations.command.search.rawdata.bucketcache.hit=211, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:16:30.459, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654564560_45490', total_run_time=16.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654564570, api_et=1654560360.000000000, api_lt=1654563960.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560960.000000000, search_lt=1654564572.575439000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3653", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_72e1c0a79bb49e8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1127, eliminated_buckets=404, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=688, invocations.command.search.index.bucketcache.hit=1127, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:14:37.793, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654564440_45450', total_run_time=9.30, event_count=0, result_count=0, available_count=0, scan_count=14197, drop_count=0, exec_time=1654564463, api_et=1654560840.000000000, api_lt=1654564440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560840.000000000, search_lt=1654564465.429437000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2756", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=281, considered_events=14605, total_slices=380479, decompressed_slices=3751, duration.command.search.index=1173, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6330, invocations.command.search.rawdata.bucketcache.hit=2, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=46, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=269, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=984, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=165, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=5, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=197, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=4, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 01:11:37.874, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654564260_45384', total_run_time=5.99, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654564264, api_et=1654560660.000000000, api_lt=1654564260.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560660.000000000, search_lt=1654564267.132349000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="3294", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_2d4ff9c6eff99e09", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=62, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=37, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:09:38.073, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654564140_45339', total_run_time=18.00, event_count=0, result_count=0, available_count=0, scan_count=4684887, drop_count=0, exec_time=1654564145, api_et=1654559940.000000000, api_lt=1654563540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654559940.000000000, search_lt=1654563540.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3157", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_633befa2f063dbfc", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=762, eliminated_buckets=376, considered_events=4684887, total_slices=1163578, decompressed_slices=221009, duration.command.search.index=2008, invocations.command.search.index.bucketcache.hit=762, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36673, invocations.command.search.rawdata.bucketcache.hit=10, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=117, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:08:37.922, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654564020_45320', total_run_time=24.32, event_count=1727, result_count=97, available_count=0, scan_count=495164, drop_count=0, exec_time=1654564080, api_et=1654560420.000000000, api_lt=1654564020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560420.000000000, search_lt=1654564082.519876000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="3058", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=199, considered_events=498990, total_slices=497320, decompressed_slices=148405, duration.command.search.index=4926, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=47023, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=398034, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=46139, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 01:07:37.928, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654564020_45315', total_run_time=8.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654564046, api_et=1654560420.000000000, api_lt=1654564020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654560420.000000000, search_lt=1654564048.530095000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2950", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_bb5cd53a67fe4a45", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=408, eliminated_buckets=199, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1045, invocations.command.search.index.bucketcache.hit=408, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 01:01:00.421, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563540_45111', total_run_time=44.05, event_count=0, result_count=0, available_count=0, scan_count=29379067, drop_count=0, exec_time=1654563590, api_et=1654549140.000000000, api_lt=1654563540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654549140.000000000, search_lt=1654563540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3062", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=29379067, total_slices=1826441, decompressed_slices=453519, duration.command.search.index=10971, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101053, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12409871, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:59:22.786, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563480_45098', total_run_time=25.01, event_count=0, result_count=0, available_count=0, scan_count=29412353, drop_count=0, exec_time=1654563529, api_et=1654549080.000000000, api_lt=1654563480.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654549080.000000000, search_lt=1654563480.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3085", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=29412353, total_slices=1824563, decompressed_slices=453838, duration.command.search.index=10574, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83689, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12417652, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:58:53.015, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563420_45082', total_run_time=34.49, event_count=0, result_count=0, available_count=0, scan_count=29445045, drop_count=0, exec_time=1654563470, api_et=1654549020.000000000, api_lt=1654563420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654549020.000000000, search_lt=1654563420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2729", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=29445045, total_slices=1848880, decompressed_slices=454274, duration.command.search.index=12168, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95978, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12424476, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:57:22.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563360_45063', total_run_time=20.86, event_count=0, result_count=0, available_count=0, scan_count=29478850, drop_count=0, exec_time=1654563409, api_et=1654548960.000000000, api_lt=1654563360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548960.000000000, search_lt=1654563360.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2587", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=29478850, total_slices=1847146, decompressed_slices=454641, duration.command.search.index=10793, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=77399, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12429148, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:56:22.825, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563300_45052', total_run_time=23.71, event_count=0, result_count=0, available_count=0, scan_count=29514439, drop_count=0, exec_time=1654563349, api_et=1654548900.000000000, api_lt=1654563300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548900.000000000, search_lt=1654563300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2646", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=0, considered_events=29514439, total_slices=1845339, decompressed_slices=454979, duration.command.search.index=10865, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=82990, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12435009, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:55:22.830, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563240_45034', total_run_time=28.12, event_count=0, result_count=0, available_count=0, scan_count=29550556, drop_count=0, exec_time=1654563289, api_et=1654548840.000000000, api_lt=1654563240.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548840.000000000, search_lt=1654563240.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2654", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=144, eliminated_buckets=1, considered_events=29550556, total_slices=1869846, decompressed_slices=455366, duration.command.search.index=11035, invocations.command.search.index.bucketcache.hit=144, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=83249, invocations.command.search.rawdata.bucketcache.hit=34, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12442428, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:54:23.930, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563180_45017', total_run_time=26.05, event_count=0, result_count=0, available_count=0, scan_count=29585497, drop_count=0, exec_time=1654563229, api_et=1654548780.000000000, api_lt=1654563180.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548780.000000000, search_lt=1654563180.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2396", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=29585497, total_slices=1868040, decompressed_slices=455688, duration.command.search.index=10779, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=81273, invocations.command.search.rawdata.bucketcache.hit=34, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12448545, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:54:22.754, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563120_44992', total_run_time=28.79, event_count=0, result_count=0, available_count=0, scan_count=29619718, drop_count=0, exec_time=1654563170, api_et=1654548720.000000000, api_lt=1654563120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548720.000000000, search_lt=1654563120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2728", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=143, eliminated_buckets=1, considered_events=29619718, total_slices=1866330, decompressed_slices=456083, duration.command.search.index=12600, invocations.command.search.index.bucketcache.hit=143, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=96522, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12456788, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:52:34.984, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563060_44975', total_run_time=32.41, event_count=0, result_count=0, available_count=0, scan_count=29655057, drop_count=0, exec_time=1654563109, api_et=1654548660.000000000, api_lt=1654563060.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548660.000000000, search_lt=1654563060.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="5788", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=29655057, total_slices=1864585, decompressed_slices=456446, duration.command.search.index=12005, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=91649, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12464175, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:51:35.062, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654563000_44952', total_run_time=39.22, event_count=0, result_count=0, available_count=0, scan_count=29690811, drop_count=0, exec_time=1654563051, api_et=1654548600.000000000, api_lt=1654563000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548600.000000000, search_lt=1654563000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3083", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=29690811, total_slices=1862768, decompressed_slices=456744, duration.command.search.index=12237, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97862, invocations.command.search.rawdata.bucketcache.hit=33, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12471529, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:50:36.435, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562880_44892', total_run_time=30.10, event_count=0, result_count=0, available_count=0, scan_count=29765862, drop_count=0, exec_time=1654562931, api_et=1654548480.000000000, api_lt=1654562880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548480.000000000, search_lt=1654562880.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3263", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=29765862, total_slices=1859218, decompressed_slices=457544, duration.command.search.index=13323, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99686, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12487675, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:50:34.562, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562940_44915', total_run_time=38.02, event_count=0, result_count=0, available_count=0, scan_count=29730107, drop_count=0, exec_time=1654562990, api_et=1654548540.000000000, api_lt=1654562940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548540.000000000, search_lt=1654562940.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3156", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=0, considered_events=29730107, total_slices=1860990, decompressed_slices=457197, duration.command.search.index=12494, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=130998, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12480635, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:50:33.250, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562820_44876', total_run_time=34.29, event_count=0, result_count=0, available_count=0, scan_count=29801677, drop_count=0, exec_time=1654562870, api_et=1654548420.000000000, api_lt=1654562820.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548420.000000000, search_lt=1654562820.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3021", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=29801677, total_slices=1857335, decompressed_slices=457808, duration.command.search.index=11839, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95587, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12494438, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:47:29.428, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562760_44853', total_run_time=29.27, event_count=0, result_count=0, available_count=0, scan_count=29837386, drop_count=0, exec_time=1654562810, api_et=1654548360.000000000, api_lt=1654562760.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548360.000000000, search_lt=1654562760.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2997", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=29837386, total_slices=1855643, decompressed_slices=458139, duration.command.search.index=11307, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=87406, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12501446, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:45:57.168, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562640_44812', total_run_time=58.17, event_count=0, result_count=0, available_count=0, scan_count=29907329, drop_count=0, exec_time=1654562690, api_et=1654548240.000000000, api_lt=1654562640.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548240.000000000, search_lt=1654562640.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3396", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=29907329, total_slices=1852201, decompressed_slices=458838, duration.command.search.index=11619, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102163, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12512944, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:45:25.519, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562580_44791', total_run_time=55.31, event_count=0, result_count=0, available_count=0, scan_count=29937959, drop_count=0, exec_time=1654562629, api_et=1654548180.000000000, api_lt=1654562580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548180.000000000, search_lt=1654562580.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3248", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=142, eliminated_buckets=1, considered_events=29937959, total_slices=1850421, decompressed_slices=459087, duration.command.search.index=11510, invocations.command.search.index.bucketcache.hit=142, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=97721, invocations.command.search.rawdata.bucketcache.hit=32, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12520059, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:45:23.806, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5daddff565131c3da_at_1654562580_44788', total_run_time=65.96, event_count=0, result_count=0, available_count=0, scan_count=3972, drop_count=0, exec_time=1654562618, api_et=1654558980.000000000, api_lt=1654562580.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654558980.000000000, search_lt=1654562620.744998000, is_realtime=0, savedsearch_name="Threat - DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="3022", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_4dcfbce6d0133c8e", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=117, eliminated_buckets=1, considered_events=3972, total_slices=960611, decompressed_slices=1051, duration.command.search.index=1738, invocations.command.search.index.bucketcache.hit=117, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=6078, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype=pan:threat (log_subtype="vulnerability") earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields palo_threat_id | makemv delim=";" palo_threat_id | mvexpand palo_threat_id | rename palo_threat_id as signature_id | format ] | where src_zone!=dest_zone | stats earliest(_time) as event_time count by index sourcetype signature_id category signature severity user src_ip src_zone dest_ip dest_zone transport action | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1289 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vulnerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:43:34.788, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562460_44738', total_run_time=78.99, event_count=0, result_count=0, available_count=0, scan_count=30003004, drop_count=0, exec_time=1654562509, api_et=1654548060.000000000, api_lt=1654562460.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654548060.000000000, search_lt=1654562460.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2780", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=30003004, total_slices=1846719, decompressed_slices=459838, duration.command.search.index=13229, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=101436, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12533442, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:41:21.831, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562040_44605', total_run_time=88.84, event_count=0, result_count=0, available_count=0, scan_count=30255840, drop_count=0, exec_time=1654562090, api_et=1654547640.000000000, api_lt=1654562040.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547640.000000000, search_lt=1654562040.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2751", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=30255840, total_slices=1834232, decompressed_slices=462708, duration.command.search.index=13627, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114307, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12586105, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:41:21.476, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562280_44664', total_run_time=49.18, event_count=0, result_count=0, available_count=0, scan_count=30102254, drop_count=0, exec_time=1654562329, api_et=1654547880.000000000, api_lt=1654562280.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547880.000000000, search_lt=1654562280.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=30102254, total_slices=1841250, decompressed_slices=460991, duration.command.search.index=11339, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89468, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12553396, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:41:18.629, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562340_44681', total_run_time=66.79, event_count=0, result_count=0, available_count=0, scan_count=30069841, drop_count=0, exec_time=1654562390, api_et=1654547940.000000000, api_lt=1654562340.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547940.000000000, search_lt=1654562340.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2829", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=30069841, total_slices=1843206, decompressed_slices=460608, duration.command.search.index=12710, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=107756, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12546883, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:41:18.143, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654562160_44635', total_run_time=66.57, event_count=0, result_count=0, available_count=0, scan_count=30181757, drop_count=0, exec_time=1654562210, api_et=1654547760.000000000, api_lt=1654562160.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547760.000000000, search_lt=1654562160.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2712", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=141, eliminated_buckets=1, considered_events=30181757, total_slices=1837791, decompressed_slices=461844, duration.command.search.index=12279, invocations.command.search.index.bucketcache.hit=141, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95768, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12569589, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:34:27.182, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5b22484d70bab8f4a_at_1654561980_44556', total_run_time=35.08, event_count=0, result_count=0, available_count=0, scan_count=40184254, drop_count=0, exec_time=1654562005, api_et=1654558380.000000000, api_lt=1654561980.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654558380.000000000, search_lt=1654562007.467494000, is_realtime=0, savedsearch_name="Threat - DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt - Rule", search_startup_time="4043", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_45514175ae46c58b", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=2327, eliminated_buckets=106, considered_events=40184254, total_slices=13356261, decompressed_slices=3697097, duration.command.search.index=14621, invocations.command.search.index.bucketcache.hit=2319, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=219447, invocations.command.search.rawdata.bucketcache.hit=242, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=o11y_security OR index=customer_suricata OR index=infrastructure_suricata) sourcetype=suricata event_type=alert earliest=-1h [| inputlookup network_vuln_exploit_sigs | fields suricata_sig_id | makemv delim=";" suricata_sig_id | mvexpand suricata_sig_id | rename suricata_sig_id as alert.signature_id | format ] | stats earliest(_time) as event_time count by index sourcetype alert.signature alert.signature_id alert.severity alert.category alert.action src_ip dest_ip proto | eval risk_object=dest_ip, risk_object_context=dest_ip, risk_object_type="system", risk_threat_object=src_ip, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1290 - Highly targeted perimeter vulnerability exploit attempt", risk_description="An IDS signature was tripped for an exploit attempt against a targeted vunerability" | eval _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:33:56.854, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561860_44505', total_run_time=123.06, event_count=0, result_count=0, available_count=0, scan_count=30325089, drop_count=0, exec_time=1654561910, api_et=1654547460.000000000, api_lt=1654561860.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547460.000000000, search_lt=1654561860.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3138", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=0, considered_events=30325089, total_slices=1828677, decompressed_slices=463468, duration.command.search.index=18668, invocations.command.search.index.bucketcache.hit=140, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=156901, invocations.command.search.rawdata.bucketcache.hit=31, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12608829, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:31:57.031, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561740_44437', total_run_time=97.87, event_count=0, result_count=0, available_count=0, scan_count=30373262, drop_count=0, exec_time=1654561790, api_et=1654547340.000000000, api_lt=1654561740.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547340.000000000, search_lt=1654561740.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2721", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=30373262, total_slices=1824748, decompressed_slices=464223, duration.command.search.index=13947, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=144268, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12625578, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:29:55.402, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561680_44422', total_run_time=56.39, event_count=0, result_count=0, available_count=0, scan_count=30396195, drop_count=0, exec_time=1654561729, api_et=1654547280.000000000, api_lt=1654561680.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547280.000000000, search_lt=1654561680.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=30396195, total_slices=1822708, decompressed_slices=464508, duration.command.search.index=12603, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=99240, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12633364, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:28:55.265, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561560_44390', total_run_time=102.16, event_count=0, result_count=0, available_count=0, scan_count=30438698, drop_count=0, exec_time=1654561610, api_et=1654547160.000000000, api_lt=1654561560.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547160.000000000, search_lt=1654561560.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2815", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=30438698, total_slices=1818758, decompressed_slices=464963, duration.command.search.index=13642, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=109135, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12649727, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:26:55.121, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561440_44361', total_run_time=113.90, event_count=0, result_count=0, available_count=0, scan_count=30479512, drop_count=0, exec_time=1654561489, api_et=1654547040.000000000, api_lt=1654561440.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654547040.000000000, search_lt=1654561440.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2734", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30479512, total_slices=1815025, decompressed_slices=465606, duration.command.search.index=15685, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=131844, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12666209, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:24:55.550, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561320_44311', total_run_time=114.10, event_count=0, result_count=0, available_count=0, scan_count=30528496, drop_count=0, exec_time=1654561370, api_et=1654546920.000000000, api_lt=1654561320.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546920.000000000, search_lt=1654561320.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2816", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30528496, total_slices=1810920, decompressed_slices=466196, duration.command.search.index=17654, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=140553, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12680516, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:23:55.215, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD5f35305de57109d38_at_1654561200_44270', total_run_time=147.92, event_count=12695740, result_count=15, available_count=0, scan_count=30584827, drop_count=0, exec_time=1654561258, api_et=1654546800.000000000, api_lt=1654561200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546800.000000000, search_lt=1654561200.000000000, is_realtime=0, savedsearch_name="(1/3)_Public/NAT IP_Updating Existing IP", search_startup_time="2698", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_0f6d107c44b6659a", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30584827, total_slices=1807559, decompressed_slices=466838, duration.command.search.index=18271, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=186093, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12695740, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="False" | eval earliest_seen=strptime(existing_es, "%m/%d/%Y %H:%M:%S.%N") | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(earliest_seen) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields ServiceType, host, src_translated_ip, earliest_seen, latest_seen, right_now, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:22:25.388, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561140_44230', total_run_time=136.42, event_count=0, result_count=0, available_count=0, scan_count=30614586, drop_count=0, exec_time=1654561190, api_et=1654546740.000000000, api_lt=1654561140.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546740.000000000, search_lt=1654561140.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2737", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30614586, total_slices=1805252, decompressed_slices=467113, duration.command.search.index=20911, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=209335, invocations.command.search.rawdata.bucketcache.hit=27, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12702222, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:19:55.461, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654561020_44183', total_run_time=102.15, event_count=0, result_count=0, available_count=0, scan_count=30668119, drop_count=0, exec_time=1654561071, api_et=1654546620.000000000, api_lt=1654561020.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546620.000000000, search_lt=1654561020.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3229", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=30668119, total_slices=1828264, decompressed_slices=467678, duration.command.search.index=16841, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=159930, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12720189, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:17:28.273, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560900_44143', total_run_time=90.07, event_count=0, result_count=0, available_count=0, scan_count=30709816, drop_count=0, exec_time=1654560950, api_et=1654546500.000000000, api_lt=1654560900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546500.000000000, search_lt=1654560900.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3204", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=30709816, total_slices=1850902, decompressed_slices=468198, duration.command.search.index=16599, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=131683, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12732496, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:16:26.724, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5aa5af35260294fb5_at_1654560960_44154', total_run_time=11.95, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654560971, api_et=1654556760.000000000, api_lt=1654560360.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654557360.000000000, search_lt=1654560973.271389000, is_realtime=0, savedsearch_name="Threat - DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API - Rule", search_startup_time="3767", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_dce24c6783f03e8d", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=1133, eliminated_buckets=405, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1165, invocations.command.search.index.bucketcache.hit=1133, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=customer_utility sourcetype=access_combined "services/rapid_diag/" payload (run_command OR sendalert OR sendemail) earliest=-1h | rex field=uri_path ".+(?task_(?:runner|rerun|abort|delete))$" `comment("START: Cleanup double encoding and extract payload metdata")` | rex field=uri "\?(?.+$)" | eval get_params = urldecode(get_parameters) | eval get_params = urldecode(get_params) | eval len_get_params = len(get_params) | rex field=get_params max_match=50 "(?m)name\"?[:=]\"?(?.+?)[\"&]" `comment("END: Cleanup double encoding and extract payload metdata")` | bucket span=1d _time | stats earliest(_time) as event_time values(task_name) as task_names sum(bytes) as total_bytes values(get_params) as get_params max(len_get_params) as max_len_get_params count as request_count by clientip useragent dest rapiddiag_operation uri_path method status _time sourcetype index | iplocation clientip | `ag_asn(clientip)` | table _time clientip Region Country ag_description useragent dest rapiddiag_operation task_names uri_path request_count max_len_get_params total_bytes method status get_params | sort - _time | eval risk_object=dest, risk_object_context="Tshirt Server", risk_threat_object=mvjoin(task_names,","), risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1334 - CSRF Exploit Attempt Against Tshirt RapidDiag API", risk_description="The RapidDiag tasks (" . risk_threat_object . ") on host ". risk_object . " contain(s) risky tshirt commands that may indicate a CSRF attack." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type="system", _time=now(), risk_create_notable=1 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:15:25.356, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560780_44102', total_run_time=75.02, event_count=0, result_count=0, available_count=0, scan_count=30745595, drop_count=0, exec_time=1654560829, api_et=1654546380.000000000, api_lt=1654560780.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546380.000000000, search_lt=1654560780.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2768", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=139, eliminated_buckets=1, considered_events=30745595, total_slices=1846987, decompressed_slices=468742, duration.command.search.index=13623, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=116348, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12743266, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:14:55.309, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD516f3711b0ce2f741_at_1654560840_44112', total_run_time=20.31, event_count=0, result_count=0, available_count=0, scan_count=20041, drop_count=0, exec_time=1654560863, api_et=1654557240.000000000, api_lt=1654560840.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654557240.000000000, search_lt=1654560865.184118000, is_realtime=0, savedsearch_name="Threat - DMOESS1308 - Host - Windows - File-based Threat Indicator Detected - Rule", search_startup_time="2883", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=410, eliminated_buckets=282, considered_events=20862, total_slices=324295, decompressed_slices=4291, duration.command.search.index=1437, invocations.command.search.index.bucketcache.hit=410, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=7773, invocations.command.search.rawdata.bucketcache.hit=3, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:DmpFileWritten=49, sourcetype_count__crowdstrike:falcon:fdr:NewExecutableWritten=353, sourcetype_count__crowdstrike:falcon:fdr:NewScriptWritten=973, sourcetype_count__crowdstrike:falcon:fdr:OleFileWritten=229, sourcetype_count__crowdstrike:falcon:fdr:OoxmlFileWritten=11, sourcetype_count__crowdstrike:falcon:fdr:PeFileWritten=201, sourcetype_count__crowdstrike:falcon:fdr:ZipFileWritten=11, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` event_platform=win earliest=-1h (sourcetype="crowdstrike:falcon:fdr:FileRenameInfo") OR (sourcetype="crowdstrike:falcon:fdr:GenericFileWritten" OR sourcetype="crowdstrike:falcon:fdr:MachOFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewScriptWritten" OR sourcetype="crowdstrike:falcon:fdr:PeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:BZip2FileWritten" OR sourcetype="crowdstrike:falcon:fdr:CustomIOAFileWrittenDetectionInfoEvent" OR sourcetype="crowdstrike:falcon:fdr:DmpFileWritten" OR sourcetype="crowdstrike:falcon:fdr:DwgFileWritten" OR sourcetype="crowdstrike:falcon:fdr:IdwFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:JavaClassFileWritten" OR sourcetype="crowdstrike:falcon:fdr:NewExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:OleFileWritten" OR sourcetype="crowdstrike:falcon:fdr:OoxmlFileWritten" OR sourcetype="crowdstrike:falcon:fdr:PackedExecutableWritten" OR sourcetype="crowdstrike:falcon:fdr:PdfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:RtfFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SevenZipFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousEseFileWritten" OR sourcetype="crowdstrike:falcon:fdr:SuspiciousPeFileWritten" OR sourcetype="crowdstrike:falcon:fdr:TarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:XarFileWritten" OR sourcetype="crowdstrike:falcon:fdr:ZipFileWritten") `filter_indicator_bloom(dmo_host_windows_threat_indicators,filename)` | `filter_indicator_regex(dmo_host_windows_threat_indicators,filename,TargetFileName)` | fillnull value=None SHA256HashData | stats earliest(_time) as event_time by src aid aip index sourcetype TargetFileName SHA256HashData notable reference description | eval risk_object=src, risk_object_context="File-based Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1308 - Host - Windows - File-based Threat Indicator Detected", risk_description=description." on host ".src." (CrowdStrike Agent ID: ".aid.") [".CommandLine."]" | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | collect index=risk'] Audit:[timestamp=06-07-2022 00:13:25.198, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560660_44055', total_run_time=72.07, event_count=0, result_count=0, available_count=0, scan_count=30783503, drop_count=0, exec_time=1654560709, api_et=1654546260.000000000, api_lt=1654560660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546260.000000000, search_lt=1654560660.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3426", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=0, considered_events=30783503, total_slices=1843033, decompressed_slices=469238, duration.command.search.index=13514, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=111942, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12755172, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:11:30.088, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5791c35655e676886_at_1654560660_44039', total_run_time=5.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1654560665, api_et=1654557060.000000000, api_lt=1654560660.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654557060.000000000, search_lt=1654560667.598278000, is_realtime=0, savedsearch_name="Threat - DMOESS1287 - Excessive Forking in Gitlab - Rule", search_startup_time="2936", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_a8fd8d26d7c60716", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=140, eliminated_buckets=63, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=35, invocations.command.search.index.bucketcache.hit=139, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=gitlab sourcetype=gitlab:gitlab_rails (source=/var/log/gitlab/gitlab-rails/production_json.log) controller=Projects::ForksController action=create earliest=-1h | rex field=location "http[s]?:\/\/(?.+?)\/" | rename src as src_ip | stats earliest(_time) as event_time dc(location) as forked_repo_count values(location) as forked_repos by src_ip index sourcetype dest_host username | search forked_repo_count > 3 | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=username, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1287 - Excessive Forking in Gitlab", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:11:28.222, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560540_43997', total_run_time=88.56, event_count=0, result_count=0, available_count=0, scan_count=30815249, drop_count=0, exec_time=1654560590, api_et=1654546140.000000000, api_lt=1654560540.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546140.000000000, search_lt=1654560540.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2716", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=138, eliminated_buckets=1, considered_events=30815249, total_slices=1838756, decompressed_slices=469624, duration.command.search.index=15162, invocations.command.search.index.bucketcache.hit=138, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=129573, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12764807, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:10:50.193, user=u00002, action=search, info=completed, search_id='scheduler__u00002__search__RMD5b133e58a16dd7195_at_1654560000_43913', total_run_time=291.08, event_count=2696, result_count=2695, available_count=0, scan_count=1756413, drop_count=0, exec_time=1654560288, api_et=1654473600.000000000, api_lt=1654560000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1567209600.000000000, search_lt=1654560000.000000000, is_realtime=0, savedsearch_name="DMO Confluence Aging Metrics", search_startup_time="64694", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_search_u00002_54cfba05d02e15ec", app="search", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=30399, eliminated_buckets=4774, considered_events=1756413, total_slices=14108018, decompressed_slices=1089689, duration.command.search.index=1197771, invocations.command.search.index.bucketcache.hit=27861, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=2560, duration.command.search.index.bucketcache.miss=415262, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=349638, invocations.command.search.rawdata.bucketcache.hit=20748, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=832, duration.command.search.rawdata.bucketcache.miss=274177, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__access=71088, sourcetype_count__atlassian:confluence:access=1170765, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence url IN ("https://confluence.tshirt.com/display/SEC/*") uri_path="/rest/quickreload/latest/*" | fields url, uri_path | rex field=uri_path "\/rest\/quickreload\/latest\/(?[^?]+)" | rex field=url "https:\/\/confluence.tshirt.com\/display\/SEC\/(?[^?]+)" | rex field=url "https://confluence.tshirt.com/display/~u00001/(?[^?]+)" | eval pageTitle=coalesce(pageTitle_1, pageTitle_2, "") | fields pageId, pageTitle | dedup pageId | join type=left pageId [search earliest=08/31/2019:00:00:00 latest=now index=ops_confluence PUT user=* url="https://confluence.tshirt.com/pages/resumedraft.action?draftId=*" uri_path="/rest/api/content/*" | rex field=uri_path "\/rest\/api\/content\/(?[^?]+)\?status=draft" | stats latest(_time) AS last_edited latest(user) AS last_edited_by by pageId | fields last_edited last_edited_by pageId] | fields last_edited pageTitle pageId last_edited_by | eval days=round(((now()-last_edited)/86400),0) | convert ctime(last_edited) | table last_edited pageTitle pageId last_edited_by days | where pageId!=0 | sort +days | outputlookup dmo_conf_age.csv'] Audit:[timestamp=06-07-2022 00:10:48.290, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD53a06c5999aa33902_at_1654560540_43988', total_run_time=37.17, event_count=7, result_count=7, available_count=0, scan_count=4812426, drop_count=0, exec_time=1654560545, api_et=1654556340.000000000, api_lt=1654559940.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654556340.000000000, search_lt=1654559940.000000000, is_realtime=0, savedsearch_name="Threat - DMOESS1292 - AWS Cross-Account Access Granted - Rule", search_startup_time="3252", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_f51236c36974f3bf", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=773, eliminated_buckets=380, considered_events=4812426, total_slices=1236476, decompressed_slices=225126, duration.command.search.index=2289, invocations.command.search.index.bucketcache.hit=768, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39244, invocations.command.search.rawdata.bucketcache.hit=12, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__aws:cloudtrail=110, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search (index=aws*cloudtrail OR index=k8s_stage OR index=k8s_prod) sourcetype=aws:cloudtrail eventSource=iam.amazonaws.com (action=created OR action=modified) earliest=-70m latest=-10m assumerole NOT userName IN (srv_ops) | rex field=requestParameters.policyDocument "\"arn:aws:iam::(?\d+?):(?.+?)\"" | where granted_account_id != recipientAccountId | stats earliest(_time) as event_time count as event_count by index sourcetype src userName userAgent eventSource eventName recipientAccountId granted_account_id granted_principal_name action | eval risk_object=recipientAccountId, risk_object_context="AWS Access", risk_threat_object=granted_account_id, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1292 - AWS Cross-Account Access Granted", risk_description="Changes in external AWS account access policies provide insight into potential exfiltration activity" | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=recipientAccountId,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:09:25.326, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560420_43964', total_run_time=77.18, event_count=0, result_count=0, available_count=0, scan_count=30842951, drop_count=0, exec_time=1654560469, api_et=1654546020.000000000, api_lt=1654560420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654546020.000000000, search_lt=1654560420.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2713", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30842951, total_slices=1835128, decompressed_slices=470036, duration.command.search.index=16543, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=140487, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12774650, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:08:55.349, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5ccc653921e899bc1_at_1654560420_43967', total_run_time=36.16, event_count=1119, result_count=58, available_count=0, scan_count=462841, drop_count=0, exec_time=1654560480, api_et=1654556820.000000000, api_lt=1654560420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654556820.000000000, search_lt=1654560482.471053000, is_realtime=0, savedsearch_name="Threat - DMOESS1306 - Host - Windows - CLI Threat Indicator Detected - Rule", search_startup_time="2914", has_error_msg=false, fully_completed_search=true, is_prjob=false, app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=200, considered_events=470941, total_slices=448993, decompressed_slices=115394, duration.command.search.index=6101, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=52231, invocations.command.search.rawdata.bucketcache.hit=5, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__crowdstrike:falcon:fdr:CommandHistory=2, sourcetype_count__crowdstrike:falcon:fdr:ProcessRollup2=367611, sourcetype_count__crowdstrike:falcon:fdr:SyntheticProcessRollup2=38213, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` (sourcetype="crowdstrike:falcon:fdr:ProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:SyntheticProcessRollup2" OR sourcetype="crowdstrike:falcon:fdr:CommandHistory") event_platform=win earliest=-1h `filter_indicator_bloom(dmo_host_windows_threat_indicators,cli)` | eval CommandLine=coalesce(CommandHistory, CommandLine) | `filter_indicator_regex(dmo_host_windows_threat_indicators,cli,CommandLine)` | fields src aid aip index sourcetype CommandLine CommandHistory notable reference description | rex mode=sed field=CommandLine "s/[^ -~]+//g" | fillnull value=None | bucket _time span=1h | stats earliest(_time) as event_time by src aid aip index sourcetype CommandLine notable reference description | `ctime(event_time)` | eval risk_object=src, risk_object_context="CLI Indicator discovered on this system", risk_threat_object=src, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1306 - Host - Windows - CLI Threat Indicator Detected", risk_description=description | `rba_enrich_uc` | eval risk_object_type="system", _time=now(), risk_create_notable=notable, risk_mitre_technique=mitre_technique, risk_mitre_tactic=mitre_tactic | `dmoess1306_commandline_exclusions` | collect index=risk'] Audit:[timestamp=06-07-2022 00:07:55.600, user=u00001, action=search, info=completed, search_id='scheduler__u00001__TshirtEnterpriseSecuritySuite__RMD5033febc43d1492e6_at_1654560420_43959', total_run_time=14.86, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1654560448, api_et=1654556820.000000000, api_lt=1654560420.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654556820.000000000, search_lt=1654560449.920604000, is_realtime=0, savedsearch_name="Threat - DMOESS1291 - ScaleFT SCP To Gitlab Servers - Rule", search_startup_time="2808", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00001_144c3f101b8fb67c", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=411, eliminated_buckets=200, considered_events=1, total_slices=3147, decompressed_slices=1, duration.command.search.index=1454, invocations.command.search.index.bucketcache.hit=411, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=140, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sas_threat_research+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search `index_sec_edr` sourcetype=*ProcessRollup2 CommandLine="sft*" (sftp OR scp) earliest=-1h ( CommandLine=*bastion.src-dev.tshirt8s.io* OR CommandLine=*bastion.src-staging.tshirt8s.io* OR CommandLine=*bastion.src.tshirt8s.io* OR CommandLine=*server-i-0e581db96290b76ef* OR CommandLine=*server-i-0df76f0b13e4c0596* OR CommandLine=*server-i-0000036358d2ee3dc* OR CommandLine=*runner-i-* ) | rex field=CommandLine "sft\s.+?\s(?(?:bastion|server|runner).+?)$" | fillnull value=None CommandLine | stats earliest(_time) as event_time count by index sourcetype aid aip CommandLine dest_host ComputerName event_platform | rename ComputerName as src_host | eval risk_object=dest_host, risk_object_context="gitlab", risk_threat_object=src_host, risk_event_time=event_time, risk_index=index, risk_sourcetype=sourcetype, risk_search_name="DMOESS1291 - ScaleFT SCP To Gitlab Servers", risk_description="Identify potential insider threat attempting to collect intellectual property from the Gitlab source control system." | makemv risk_object delim=; | mvexpand risk_object | eval risk_object_type=case(risk_object=dest_host,"other"), _time=now(), risk_create_notable=0 | `rba_enrich_uc` | collect index=risk'] Audit:[timestamp=06-07-2022 00:07:25.548, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560300_43930', total_run_time=93.67, event_count=0, result_count=0, available_count=0, scan_count=30884761, drop_count=0, exec_time=1654560350, api_et=1654545900.000000000, api_lt=1654560300.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654545900.000000000, search_lt=1654560300.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2758", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30884761, total_slices=1831353, decompressed_slices=470708, duration.command.search.index=19187, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=173212, invocations.command.search.rawdata.bucketcache.hit=29, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12787510, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:06:23.980, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560120_43819', total_run_time=145.79, event_count=0, result_count=0, available_count=0, scan_count=30931236, drop_count=0, exec_time=1654560170, api_et=1654545720.000000000, api_lt=1654560120.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654545720.000000000, search_lt=1654560120.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="2881", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30931236, total_slices=1825360, decompressed_slices=471591, duration.command.search.index=27812, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=270740, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12803392, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv'] Audit:[timestamp=06-07-2022 00:02:45.301, user=u00002, action=search, info=completed, search_id='scheduler__u00002__TshirtEnterpriseSecuritySuite__RMD595343ebc647c6c30_at_1654560000_43751', total_run_time=99.62, event_count=0, result_count=0, available_count=0, scan_count=30981468, drop_count=0, exec_time=1654560049, api_et=1654545600.000000000, api_lt=1654560000.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1654545600.000000000, search_lt=1654560000.000000000, is_realtime=0, savedsearch_name="(2/3)_Public/NAT IP_Updating New IP", search_startup_time="3498", has_error_msg=false, fully_completed_search=true, is_prjob=false, acceleration_id="8764D646-248C-4D13-9A80-0B9CB01C884E_TshirtEnterpriseSecuritySuite_u00002_3330fdd379dc7512", app="TshirtEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", workload_pool=standard_perf, searched_buckets=137, eliminated_buckets=0, considered_events=30981468, total_slices=1821132, decompressed_slices=472486, duration.command.search.index=26801, invocations.command.search.index.bucketcache.hit=137, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=266575, invocations.command.search.rawdata.bucketcache.hit=28, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__pan:traffic=12825767, search_type=adhoc, roles='access_everyone+access_it+access_restricted+access_skynet_minty_gitlab_logs+capability_list_storage_passwords+ess_admin+ess_analyst+ess_user+index_sgs+phantom+power+proxy_admin+sas_es_analyst+sas_es_mission_control_admin+sas_es_observer+sas_es_power+sc_admin+tc_admin+tc_user+tokens_auth+user+windows-admin', search='search index=pan_logs sourcetype="pan:traffic" dest_zone="UNTRUST" src_zone!="UNTRUST" src_translated_ip!="0.0.0.0" NOT src_translated_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) | fields src_translated_ip, host, src_zone, dest_zone, _time | lookup gso_dmo_tshirtNAT.csv src_translated_ip, host OUTPUTNEW src_translated_ip AS existing_ip, host AS existing_host, earliest_seen AS existing_es | eval isNew=if(src_translated_ip==existing_ip, "False", "True") | search isNew="True" | stats values(src_zone) as ServiceType values(dest_zone) latest(_time) as latest_seen earliest(_time) as earliest_seen by host src_translated_ip | eval right_now=now() | eval time_diff=round((right_now-latest_seen)/86400,0) | convert ctime(right_now), ctime(earliest_seen), ctime(latest_seen) | fields host, src_translated_ip, ServiceType, right_now, earliest_seen, latest_seen, time_diff | sort host | outputlookup append=t gso_dmo_tshirtNAT.csv']